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ENHANCING SOCIAL SECURITY NUMBER 

PRIVACY 


Tuesday June, 15, 2004 

U.S. House of Representatives, 

Committee on Ways and Means, 
Subcommittee on Social Security, 

Washington, DC. 

The Subcommittee met, pursuant to notice, at 11:00 a.m., in 
room B-318, Rayburn House Office Building, Hon. E. Clay Shaw, 
Jr. (Chairman of the Subcommittee) presiding. 

[The advisory and revised advisory announcing the hearing fol- 
low:] 


( 1 ) 



2 


ADVISORY 

FROM THE COMMITTEE ON WAYS AND MEANS 


SUBCOMMITTEE ON SOCIAL SECURITY 


FOR IMMEDIATE RELEASE CONTACT: (202) 225-9263 

June 08, 2004 

Shaw Announces Hearing on Enhancing Social 
Security Number Privacy 

Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on Social Secu- 
rity of the Committee on Ways and Means, today announced that the Subcommittee 
will hold a hearing on enhancing Social Security number (SSN) privacy. The hear- 
ing will take place on Tuesday, June 15, 2004, in room B-318 Rayburn 
House Office Building, beginning at 10:00 a.m. 

In view of the limited time available to hear witnesses, oral testimony at this 
hearing will be from invited witnesses only. However, any individual or organization 
not scheduled for an oral appearance may submit a written statement for consider- 
ation by the Subcommittee and for inclusion in the printed record of the hearing. 

BACKGROUND: 


Identity theft is one of the fastest growing white-collar crimes, and it wreaks 
havoc with individuals’ lives. Identity theft occurs when someone uses a victim’s 
personal information — SSN, credit card number, or other identifying information — 
to commit fraud or other crimes. 

According to a Federal Trade Commission-sponsored survey, almost 10 million 
people discovered they were victims of identity theft in 2002. On average, victims 
spent $500 and took 30 hours clearing their names and restoring their credit. In 
the interim, many may have lost job opportunities, had loans refused, or even gotten 
arrested for crimes they didn’t commit. 

One reason identity thieves prize SSNs is because they are central to many busi- 
ness transactions. While SSNs were originally created in 1936 to track earnings for 
Social Security eligibility and benefit purposes, today SSNs are widely used in the 
public and private sectors as account numbers, to verify identity, and to compile in- 
formation across databases for use in everything from tracking down criminals to 
issuing credit. Despite SSNs’ integral role in all sorts of transactions, their confiden- 
tiality is not well protected. SSNs are often on display to the general public on em- 
ployee badges, licenses, in court documents, or on the Internet. 

In order to protect the privacy of SSNs, Subcommittee on Social Security Chair- 
man E. Clay Shaw, Jr. introduced bipartisan legislation, the Social Security Number 
Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971). The bill would pro- 
hibit the sale, purchase, and display to the general public of SSNs in the public and 
private sectors, with certain exceptions for law enforcement, national security, pub- 
lic health, and other specified circumstances. The legislation also prevents consumer 
reporting agencies from releasing SSN information other than in a full consumer re- 
port, and prevents businesses from denying products or services if an individual re- 
fuses to divulge his or her SSN. 

In addition, the bill would require improvements in the process of issuing SSNs, 
and would create new criminal and civil penalties for those who misuse SSNs — for 
example, those who sell another individual’s SSN or counterfeit SSNs; or those who 
violate the bill’s prohibitions on sale, purchase, and display to the general public. 

In announcing the hearing, Chairman Shaw stated: “We can no longer ignore the 
role SSNs play in facilitating identity theft. My bill is designed to protect SSN pri- 
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vacy while preserving its vital use in our society and economy, by ensuring SSNs 
are assigned accurately, exchanged only when necessary, and protected from 
indiscriminant disclosure.” 

FOCUS OF THE HEARING: 


The Subcommittee will examine how criminals use SSNs to commit identity theft, 
the impact on victims, and will receive feedback from consumer advocates and rep- 
resentatives from the public and private sector regarding the Social Security Num- 
ber Privacy and Identity Theft Prevention Act of 2003. 

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS: 


Please Note: Any person(s) and/or organization(s) wishing to submit for the hear- 
ing record must follow the appropriate link on the hearing page of the Committee 
website and complete the informational forms. From the Committee homepage, 
http://waysandmeans.house.gov, select “108th Congress" from the menu entitled, 
“Hearing Archives” (http://waysandmeans.house.gov /Hearings. asp?congress=16). Se- 
lect the hearing for which you would like to submit, and click on the link entitled, 
“Click here to provide a submission for the record.” Once you have followed the on- 
line instructions, completing all informational forms and clicking “submit” on the 
final page, an email will be sent to the address which you supply confirming your 
interest in providing a submission for the record. You MUST REPLY to the email 
and ATTACH your submission as a Word or WordPerfect document, in compliance 
with the formatting requirements listed below, by close of business Tuesday, June 
22, 2004. Finally, please note that due to the change in House mail policy, the U.S. 
Capitol Police will refuse sealed-package deliveries to all House Office Buildings. 
For questions, or if you encounter technical problems, please call (202) 225-1721. 

FORMATTING REQUIREMENTS: 


The Committee relies on electronic submissions for printing the official hearing record. As al- 
ways, submissions will be included in the record according to the discretion of the Committee. 
The Committee will not alter the content of your submission, but we reserve the right to format 
it according to our guidelines. Any submission provided to the Committee by a witness, any sup- 
plementary materials submitted for the printed record, and any written comments in response 
to a request for written comments must conform to the guidelines listed below. Any submission 
or supplementary item not in compliance with these guidelines will not be printed, but will be 
maintained in the Committee files for review and use by the Committee. 

1. All submissions and supplementary materials must be provided in Word or WordPerfect 
format and MUST NOT exceed a total of 10 pages, including attachments. Witnesses and sub- 
mitters are advised that the Committee relies on electronic submissions for printing the official 
hearing record. 

2. Copies of whole documents submitted as exhibit material will not be accepted for printing. 
Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material 
not meeting these specifications will be maintained in the Committee files for review and use 
by the Committee. 

3. All submissions must include a list of all clients, persons, and/or organizations on whose 
behalf the witness appears. A supplemental sheet must accompany each submission listing the 
name, company, address, telephone and fax numbers of each witness. 

Note: All Committee advisories and news releases are available on the World 
Wide Web at http://waysandmeans.house.gov 

The Committee seeks to make its facilities accessible to persons with disabilities. 
If you are in need of special accommodations, please call 202-225-1721 or 202-226- 
3411 TTD/TTY in advance of the event (four business days notice is requested). 
Questions with regard to special accommodation needs in general (including avail- 
ability of Committee materials in alternative formats) may be directed to the Com- 
mittee as noted above. 
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ADVISORY 

FROM THE COMMITTEE ON WAYS AND MEANS 

SUBCOMMITTEE ON SOCIAL SECURITY 


FOR IMMEDIATE RELEASE CONTACT: (202) 225-9263 

June 14, 2004 
SS-9 — Revised 

Change in Time for Hearing on Enhancing Social 
Security Number Privacy 

Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on Social Secu- 
rity of the Committee on Ways and Means, today announced that the Subcommittee 
hearing on enhancing Social Security number privacy, previously scheduled for 
Tuesday, June 15, 2004, at 10:00 a.m., in room B-318 Rayburn House Office Build- 
ing, will now be held at 11:00 a.m. 

All other details for the hearing remain the same. (See Subcommittee Advisory 
No. SS-9, dated June 8, 2004 


Chairman SHAW. Good morning. Welcome to all our guests. We 
were up until midnight cranking out a tax bill last night. I appre- 
ciate, Ben, you and Sam being here. Today the Subcommittee will 
hear testimony about the growing threat of identity theft, the need 
to prevent identity theft and terrorists from stealing innocent 
Americans’ Social Security numbers (SSNs), and my bipartisan, 
and I underscore bipartisan, “Social Security Number Privacy and 
Identity Theft Prevention Act of 2003,” H.R. 2971. I think you are 
a cosponsor of that. 

The SSN is woven into the fabric of many of our dealings with 
governments and businesses. They are widely used as personal 
identifiers even though the original purpose was simply to track 
earnings for determining eligibility and benefit amounts under So- 
cial Security. Some of the uses of the SSNs help us achieve impor- 
tant goals like reducing waste, fraud and abuse in government pro- 
grams; enforcing child support; and aiding law enforcement. Unfor- 
tunately there is also wide use of SSNs for everyday business 
transactions. Concerns about identity theft are rapidly growing. Ac- 
cording to the Federal Trade Commission (FTC), identity theft is 
the number one consumer complaint, amounting to 42 percent of 
complaints received in 2003. Americans are becoming more aware 
of the role of SSNs in identity theft thanks to the efforts of the SSA 
(SSA), the FTC, the U.S. Postal Inspection Service, and other agen- 
cies. Due to the increasing public pressure to act, businesses are 
starting to move away from using SSNs, and several States have 
passed legislation that does protect SSNs. 

While everybody recognizes the need to protect the SSNs, Fed- 
eral laws do not do enough to prevent the unnecessary disclosure. 
As a result, SSNs are sought-after tools for identity theft; worse 
yet, terrorists use of SSN fraud and identity theft to assimilate 
themselves into our society. Identity theft continues to threaten our 
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individual and national security. Clearly we need a comprehensive 
law to better protect the privacy of SSNs, and protect the American 
public from being victimized. That is why I, along with several 
Members of the Subcommittee, including the Ranking Member Mr. 
Matsui, introduced H.R. 2971, the “Social Security Number Privacy 
and Identity Theft Prevention Act of 2003.” This bill would restrict 
the sale and public display of SSNs, limit dissemination of SSNs 
by consumers reporting agencies, make it more difficult for busi- 
nesses to deny services if a customer refuses to provide his or her 
SSN, and establish civil and criminal penalties for the violation. 

Providing for uses of SSNs that benefit the public while pro- 
tecting their privacy is a very complex balancing act. This bill 
achieves that balance by ensuring SSNs are assigned accurately, 
exchanged only when necessary, and protected from the indiscrimi- 
nate disclosure. This Subcommittee has been working on a bipar- 
tisan basis to protect the privacy of SSNs and prevent identity 
theft since the 106th Congress when it first approved the Social Se- 
curity Number Privacy and Identity Theft Prevention Act of 2002. 
In the 107th Congress, I, along with Ranking Member Matsui and 
80 other Members of Congress, sponsored a similar bill. Consider- 
ation of this legislation was rightly preempted by necessary con- 
gressional response to the September 11 attacks. 

My hope is that this hearing will serve as a catalyst toward ac- 
tion, first through markup in this Subcommittee and the full Com- 
mittee, followed by similar action by other Committees of jurisdic- 
tion, so that we may bring this important legislation to the House. 
Again, I underscore that in going through my statement, you may 
wonder, well, if you have had all this time why haven’t you done 
anything? The problem really lies in that there is so much jurisdic- 
tion throughout Capitol Hill, that has stalled us at many, many 
areas where we shouldn’t have been stalled down. I look forward 
to hearing from each of our witnesses, and I thank each of you in 
advance for sharing with us your experience and your rec- 
ommendations. I would now yield to the gentleman from Maryland, 
my friend Mr. Cardin. 

Mr. CARDIN. Thank you, Chairman Shaw. First let me thank 
you for conducting this hearing, and thank you for your leadership 
on this issue. It is a difficult matter, the proper use of SSNs and 
the misuse of SSNs and the role that people illegally obtaining 
SSNs have used in identity theft. So, these are issues that are of 
great concern to all of us in Congress. 

Mr. Chairman, if I am correct, I think this is the 11th hearing 
that our Subcommittee has held in the last 4 years on this general 
subject because of our concern, and I do applaud you for the intro- 
duction of H.R. 2971, the “Social Security Number Privacy and 
Identity Theft Prevention Act of 2003”. You are correct. This enjoys 
strong bipartisan support. I am proud to be a cosponsor of that bill. 
I think it is absolutely essential that Congress act in this area to 
give the clear message about the seriousness of the misuse of 
SSNs. 

A SSN should be your identifying number for Social Security. It 
should not be used for every other purpose imaginable that is cur- 
rently being used by society and by commerce, but it is being used 
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for other purposes, and it presents a real dilemma for us as to how 
we reverse this use and how we can protect a person’s privacy. 

It is a very serious issue, because what identity theft has meant 
to our Nation, the FTC has received more than a half million calls 
on the identity fraud line, and they have projected that about 5 
percent, 5 percent of our adult population of the United States, 
some 10 million people, were victims of some kind of identity theft 
in just the last 12 months. So, this is a huge issue that we need 
to deal with. We can’t just be quiet on the subject by saying it is 
difficult in that so many people have our SSNs, and how are we 
ever going to be able to retrieve the privacy that was intended 
when the Social Security system was created. 

I look forward to hearing the testimony of our witnesses today 
as we try to develop a strategy to balance the needs of our society 
and the protection of our constituents. Mr. Chairman, I look for- 
ward to working with you and the other Members of the Committee 
as we attempt to get through the maze of the different jurisdic- 
tional problems in Congress and pass the necessary protective laws 
here in this body. Thank you. 

Chairman SHAW. Thank you, Mr. Cardin. I would like to yield 
at this time to Mr. Ryan, who is here and wants to introduce a 
member of the second panel, but he is concerned that his schedule 
might not allow him to be here, so I would yield to him for that 
introduction. 

Mr. RYAN. I thank the Chair. I have a bill coming to the floor 
momentarily, so I won’t I be able to stay until that time, but I 
wanted to just take a couple of moments to introduce someone who 
is on the next panel who is a perfect person to have testifying with 
us today. That is Mark Ladd, who is the Register of Deeds for 
Racine County. Mark is very experienced, has been the Register of 
Deeds in Racine since 1994. He is the past President of the Wis- 
consin Register of Deeds Association. He is also a member of the 
Board of Directors of the National Association of County Recorders 
and Election Clerks, and he is the Co-Chair of the Property 
Records Industry Association Technology Board, which is, I think, 
in that capacity where he is going to offer a lot of expertise. He is 
also a good friend of mine, and I am excited that Mark is here to 
testify in the next panel. 

I hope that I can make it. It is only when you have a bill coming 
to the floor, which I have on the Suspension Calendar, that it pre- 
sents a very unpredictable schedule. So, I thank the Chair for in- 
dulging me to be able to introduce my friend and a good expert 
from Racine, Wisconsin, who will be testifying on the next panel. 
Thank you, and I yield. 

Chairman SHAW. Okay. The first panel, which is already assem- 
bled at the table, are also four perfect witnesses: Howard Beales, 
who is the Director of the Bureau of Consumer Protection in the 
FTC; Patrick O’Carroll, Acting Inspector General, SSA; Barbara 
Bovbjerg, who is Director of Education, Work force and Income Se- 
curity; Lawrence Maxwell, Assistant Chief Inspector of the Inves- 
tigations and Security. Welcome, all of you. We have each of your 
full statements that will be made a part of the record. You may 
proceed as you see fit, and if you could capsule your statement into 
5 minutes, we would be most appreciative. 
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STATEMENT OF J. HOWARD BEALES, III, DIRECTOR, BUREAU 
OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION 

Mr. BEALES. Thank you, Mr. Chairman. I am Howard Beales. 
I am Director of the FTC’s Bureau of Consumer Protection, and I 
am pleased to present the views of the Commission this morning. 
In a survey we conducted last year, the Commission learned some 
startling results about the incidence of identity theft and the im- 
pact of this crime on its victims. The data showed that within the 
12 months preceding the survey, almost 3 and one-fourth million 
persons discovered that an identity thief opened new accounts in 
their names. An additional 6.6 million people learned of the misuse 
of an existing account. Overall nearly 10 million people, or 4.6 per- 
cent of the adult population, discovered that they were victims of 
some form of identity theft. 

These numbers translate to nearly $48 billion in losses to busi- 
nesses, nearly $5 billion in losses to victims, and almost 300 hours 
spent by victims to resolve their problems. Moreover, identity theft 
is a growing crime. The survey indicated a significant increase in 
the previous 2 to 3 years, nearly a doubling from one year to the 
next, although the research also showed that this increase has 
slowed recently. Notably the recent increase involved the misuse of 
existing accounts, which tends to cause less economic injury to vic- 
tims and is generally easier for them to identify and to fix. 

Overall, the survey analysis puts the incident rates of identity 
theft into sharper focus and demonstrates the need for concerted 
action between the public and private sectors to act aggressively to 
reduce identity theft, SSNs play a pivotal role in identity theft. 
Thieves use the SSN as a key to access the financial benefits avail- 
able to their victim. Preventing identity thieves from obtaining 
SSNs will help to protect consumers from this pernicious crime. 
The potential for misuse arises because SSNs are crucial to the 
proper functioning of our financial system. Socials are used to 
match consumers to their credit and other financial information. 
Without them, information may be attributed to the wrong con- 
sumers, and the accuracy of credit reports may be degraded. Ena- 
bling SSNs to be used appropriately will help to ensure that con- 
sumers continue to enjoy the benefits of our current credit system. 

The Commission is studying the efficacy of increasing the num- 
ber of points of identifying information that a credit reporting 
agency is required to match to ensure that a consumer is the cor- 
rect individual to whom a consumer report relates before releasing 
that report to a user. The study to be completed by this December 
should greatly increase our knowledge of the importance of SSNs 
in the matching process, and we look forward to reporting our find- 
ings. 

Socials are collected by public and private entities for various 
purposes, and several Federal and State laws restrict the use or 
disclosure of SSNs depending on the source. The nationwide credit 
bureaus are primary private sources of SSNs, collecting informa- 
tion from financial institutions for credit reporting purposes. This 
information typically includes the consumer’s identifying informa- 
tion, such as name, address and SSN, as well as information relat- 
ing to the consumer’s credit accounts. The identifying information 
collected by the credit bureau is one of the most reliable and com- 
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prehensive sources of this information, because individuals tend to 
provide their financial institutions with accurate and up-to-date in- 
formation. Moreover, credit bureau databases contain information 
for over 200 million consumers. 

The Gramm-Leach-Bliley Act (P.L. 106-102) imposes certain re- 
strictions on the reuse and re-disclosure of the identifying informa- 
tion that is collected by credit bureaus as a general matter. The act 
prohibits financial institutions from disclosing nonpublic personal 
information to nonaffiliated third parties without first providing 
consumers with notice and the opportunity to opt out of such dis- 
closure. This general restriction, however, is subject to certain ex- 
ceptions. The information may flow from financial institutions to 
others for certain purposes specified in the statute and in the rule, 
including, for example, to process transactions or to report con- 
sumer information to credit bureaus. When information is disclosed 
under these exceptions, the recipient may not use or disclose that 
information except in the ordinary course of business to carry out 
the activity covered by the exception under which the information 
was received. 

The Fair and Accurate Credit Transactions (FACT) Act of 2003 
(P.L. 108-159) provides several new and important measures to 
prevent identity theft and facilitate victim recovery. One prominent 
benefit will be greater access to free consumer reports. Several 
other measures also act to prevent identity theft. The National 
Fraud Alert System will put potential creditors on notice that they 
must proceed with caution. The red flag rulemaking will require fi- 
nancial institutions and creditors to analyze patterns and take ap- 
propriate steps to prevent the crime. When fully implemented, 
these provisions should help to reduce the incidence of identity 
theft and to help victims recover when problems do occur. 

Identity theft places substantial costs on individuals and busi- 
nesses. We look forward to working with businesses on better ways 
for them to protect the valuable information of the consumers with 
whom they do business as well as other means of preventing iden- 
tity theft. We anticipate that Nation will help and reduce the im- 
pact on victims as well. Thank you, and as you know, Mr. Chair- 
man, I have a prior obligation at noon, and I will stay as long as 
I can to answer questions. I would be happy to answer questions 
for the record, but I may have to leave early. 

[The prepared statement of Mr. Beales follows:] 

Statement of J. Howard Beales, III, Director, Bureau of Consumer 
Protection, Federal Trade Commission 

I. INTRODUCTION 

Mr. Chairman, and members of the Subcommittee, I am J. Howard Beales, III, 
Director of the Bureau of Consumer Protection, Federal Trade Commission (“FTC” 
or “Commission”). 1 I appreciate the opportunity to present the Commission’s views 
on identity theft and Social Security numbers. The Federal Trade Commission has 
a broad mandate to protect consumers, and controlling identity theft is an important 
issue of concern to all consumers. Through this testimony, the Commission will de- 
scribe the results of a recent survey on the prevalence and impact of identity theft, 
the ways in which Social Security numbers are collected and used, new protections 


1 The views expressed in this statement represent the views of the Commission. My oral pres- 
entation and responses to questions are my own and do not necessarily represent the views of 
the Commission or any Commissioner. 
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for consumers and identity theft victims, and the Commission’s identity theft pro- 
gram. 

II. UNDERSTANDING THE IMPACT OF IDENTITY THEFT 

On November 1, 1999, the Commission began collecting identity theft complaints 
from consumers in its national database, the Identity Theft Data Clearinghouse (the 
“Clearinghouse”). 2 Every year since has seen an increase in complaints. 3 The Clear- 
inghouse now contains over 600,000 identity theft complaints taken from victims 
across the country. By itself, though, these self-reported data do not currently allow 
the FTC to draw any firm conclusions about the incidence of identity theft in the 
general population. To address this important issue, the FTC commissioned a sur- 
vey last year to gain a better picture of the incidence of identity theft and the im- 
pact of the crime on its victims. 4 The results were startling. The data showed that 
within the 12 months preceding the survey, 3.23 million persons discovered that an 
identity thief opened new accounts in their names. An additional 6.6 million con- 
sumers learned of the misuse of an existing account. Overall, nearly 10 million peo- 
ple — or 4.6 percent of the adult population — discovered that they were victims of 
some form of identity theft. These numbers translate to nearly $48 billion in losses 
to businesses, nearly $5 billion in losses to individual victims, and almost 300 mil- 
lion hours spent by victims trying to resolve their problems. 

Moreover, identity theft is a growing crime. The survey indicated a significant in- 
crease in tbe previous 2-3 years — nearly a doubling from one year to the next, al- 
though the research showed that this increase has recently slowed. Notably, this re- 
cent increase primarily involved the misuse of an existing account, which tends to 
cause less economic injury to victims and is generally easier for them to identify and 
fix. Overall, the 2003 survey analysis puts the incidence rates of identity theft into 
sharper focus, and demonstrates the need for a concerted effort between the public 
and private sectors to act aggressively to reduce identity theft. 

III. SOCIAL SECURITY NUMBER USES AND IDENTITY T HE FT 

Social Security numbers play a pivotal role in identity theft. Identity thieves use 
the Social Security number as a key to access the financial benefits available to 
their victims. Preventing identity thieves from obtaining Social Security numbers 
will help to protect consumers from this pernicious crime. The potential for misuse 
arises because Social Security numbers are crucial to the proper functioning of our 
financial system. Social Security numbers are used to match consumers to their 
credit and other financial information. Without them, information may be attributed 
to the wrong consumer, and the accuracy of credit reports may be degraded. Ena- 
bling Social Security numbers to be used appropriately will help to ensure that con- 
sumers continue to enjoy the benefits of our current credit system. The Commission 
is studying “the efficacy of increasing the number of points of identifying informa- 
tion that a credit reporting agency is required to match to ensure that a consumer 
is the correct individual to whom a consumer report relates before releasing a con- 
sumer report to a user” as required by the Fair and Accurate Credit Transactions 
Act of 2003. 5 This study, to be completed by December, 2004, should greatly in- 
crease our knowledge of the importance of Social Security numbers in the matching 
process. The Commission looks forward to reporting its findings to Congress. 

Social Security numbers are collected by public and private entities for various 
purposes, and several federal and state laws restrict the use or disclosure of Social 
Security numbers, depending on the source. 6 The nationwide credit bureaus are pri- 


2 See infra Section V for a discussion of the Commission’s mandate to maintain an identity 
theft complaint database pursuant to the 1998 Identity Theft Assumption and Deterrence Act. 

3 Charts that summarize data from the Clearinghouse can be found at http:// 
www.consumer.gov/idtheft/stats.html and http://www.consumer.gov/sentinel/index.html. 

4 The research took place during March and April 2003. It was conducted by Synovate, a pri- 
vate research firm, and involved a random sample telephone survey of over 4,000 U.S. adults. 
The full report of the survey can be found at http://www.consumer.gov/idtheft/stats.html. 

3 Pub. L. No. 108-396, §318 (2003). 

6 As GAO has reported, government and commercial entities use social security numbers for 
a number of different purposes, including to verify the eligibility of applicants, manage records, 
and conduct research. U.S. General Accounting Office, Social Security: Government and Com- 
mercial Use of the Social Security Number is Widespread , GAO/HEHS-99-28 (Washington, D.C.: 
Feb 16, 1999) and Social Security Numbers: Government Benefits from SSN Use but Could Pro- 
vide Better Safeguards , GAO-02—352 (Washington, D.C.: May 31, 2002). As examined in detail 
in GAO’s January 2004 report, private sector entities (information resellers, consumer reporting 
agencies, health care organizations) obtain social security numbers both directly from consumers 
and other businesses, and the entities use them for a variety of purposes, including identifica- 
tion and to match the consumer to information stored in the consumer’s credit report. See U.S. 

Continued 
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mary private sources of Social Security numbers, collecting information from finan- 
cial institutions for credit reporting purposes. This information typically includes a 
consumer’s identifying information — such as name, address, and Social Security 
number — as well as information related to the consumer’s credit accounts. The iden- 
tifying information collected by the credit bureaus is one of the most reliable and 
comprehensive sources of this information, because individuals tend to provide their 
financial institutions with accurate and up-to-date identifying information and the 
credit bureau databases contain information for over 200 million consumers. 7 

The Gramm-Leach-Bliley Act (“GLBA”) 8 imposes certain restrictions on the reuse 
and redisclosure of the identifying information — including Social Security num- 
bers — that is collected by credit bureaus from financial institutions. 9 As a general 
matter, the GLBA prohibits financial institutions from disclosing nonpublic personal 
information (“NPI”) to nonaffiliated third parties without first providing consumers 
with notice and the opportunity to opt out of such disclosure. This general restric- 
tion, however, is subject to certain exceptions. The information may flow from finan- 
cial institutions to others for certain purposes specified in the statute and rule, in- 
cluding, for example, to process transactions or to report consumer information to 
credit bureaus. 10 When information is disclosed under these GLBA exceptions, the 
recipient may not use or disclose that NPI except “in the ordinary course of business 
to carry out the activity covered by the exception under which . . . the information 
[was received].” 11 

IV. NEW PROTECTIONS FOR IDENTITY THEFT VICTIMS 

On December 4, 2003, the Fair and Accurate Credit Transactions Act of 2003 
(“FACTA”) was enacted. 12 Many of the provisions amend the Fair Credit Reporting 
Act (“FCRA”), 13 and provide new and important measures to prevent identity theft 
and facilitate identity theft victims’ recovery. Some of these measures will take ef- 
fect this year. 14 They will codify many of the voluntary measures initiated by the 
private sector and improve other recovery procedures already in place. 

One prominent benefit of these amendments to the FCRA is the greater access 
to free consumer reports. 15 Previously under the FCRA, consumers were entitled to 
a free consumer report only under limited circumstances. 16 Beginning in December 
of this year with a regional rollout, nationwide and nationwide specialty consumer 


General Accounting Office, Social Security Numbers: Private Sector Entities Routinely Obtain 
and Use SSNs and Laws Limit the Disclosure of This Information , GAO-04-11 (Washington, 
D.C.: Jan. 22, 2004). 

1 See Consumer Data Industry Association’s Web site, available at http://www.cdiaonline.org/ 
about.cfm. 

8 Subtitle A of Title 5 of the GLBA, 15 U.S.C. §§6801-6809. 

9 The GLBA applies to any “nonpublic personal information” (“NPI”) that a financial institu- 
tion collects about an individual in connection with providing a financial product or service to 
an individual, unless that information is otherwise publicly available. This includes basic identi- 
fying information about individuals, such as name. Social Security number, address, telephone 
number, mother’s maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, 33680 (May 
24, 2000) (the FTC’s Privacy Rule). This identifying information generally is not covered by the 
Fair Credit Reporting Act. See FTC v. Trans Union, Dkt. 9255, Op. of the Commission at pp. 
30-31 (Mar. 1, 2000) (holding that consumer name. Social Security number, address, telephone 
number, and mother’s maiden name do not constitute a consumer report under the FCRA). 

10 These exceptions are found in § 502(e) of the GLBA, and in §§313.14 and 313.15 of the 
FTC’s privacy rule. The other GLBA privacy rules contain substantially similar provisions. The 
§313.14 exceptions relate to the processing and servicing of transactions at the consumer’s re- 
quest, and the §313.15 exceptions contain a broad range of unrelated exceptions, such as pre- 
venting fraud, assisting law enforcement, complying with subpoenas, and reporting to credit bu- 
reaus. Section 313.13 also contains an exception to the notice and opt out requirement, but that 
section is not relevant here because it relates to contractual arrangements with service pro- 
viders and joint marketers. 

11 16 C.F.R. 313.1 KaXIXiii), (c)(3) (2000). 

12 Pub. L. No. 108-396 (2003) (codified at 15 U.S.C. § 1681 et seq.). 

13 15 U.S.C. § 1681 et seq. 

14 The statute set effective dates for certain sections and required the Commission and the 
Federal Reserve Board jointly to set effective dates for the remaining sections. See Effective 
Dates for the Fair and Accurate Credit Transactions Act of 2003, 16 C.F.R. §602.1 (2004). 

15 Pub. L. No. 108-396, §211 (2003). 

16 Previously, free reports were available only pursuant to the FCRA when the consumer suf- 
fered adverse action, believed that fraudulent information may be in his or her credit file, was 
unemployed, or was on welfare. Absent one of these exceptions, consumers had to pay a statu- 
tory “reasonable charge” for a file disclosure; this fee is set each year by the Commission and 
is currently $9. See 15 U.S.C. § 1681j. In addition, a small number of states required the CRAs 
to provide free annual reports to consumers at their request. 
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reporting agencies 17 must provide free credit reports to consumers once annually, 
upon request . 18 Free reports will enhance consumers’ ability to discover and correct 
errors, thereby improving the accuracy of the system, and also enable consumers to 
detect identity theft early. 

Other measures that act to prevent identity theft include: 

• National fraud alert system : 19 Consumers who reasonably suspect they have 
been or may be victimized by identity theft, or who are military personnel on 
active duty away from home , 20 can place an alert on their credit files. The alert 
will put potential creditors on notice that they must proceed with caution when 
granting credit in the consumer’s name. The provision also codified and stand- 
ardized the “joint fraud alert” initiative administered by the three major credit 
reporting agencies. After receiving a request from an identity theft victim for 
the placement of a fraud alert on his or her consumer report and for a copy 
of that report, each credit reporting agency now shares that request with the 
other two nationwide credit reporting agencies, thereby eliminating the need for 
the victim to contact each of the three agencies separately. 

• Truncation of credit and debit card receipts : 21 In some instances, identity theft 
results from thieves obtaining access to account numbers on credit card re- 
ceipts. FACTA seeks to reduce this source of fraud by requiring merchants to 
truncate the full card number on electronic receipts. The use of truncation tech- 
nology is becoming widespread, and some card issuers already require mer- 
chants to truncate . 22 

• “Red flag” indicators of identity theft : 23 The banking regulators and the FTC 
will jointly develop a rule to identify and maintain a list of “red flag” indicators 
of identity theft. The goal of this provision is for financial institutions and credi- 
tors to analyze identity theft patterns and practices so that they can take ap- 
propriate action to prevent this crime. 

• Disposal of Consumer Report Information and Records : 24 The banking regu- 
lators and the FTC are coordinating a rulemaking to require proper disposal of 
consumer information derived from consumer reports . 25 This requirement will 
help to ensure that sensitive consumer information, including Social Security 
numbers, is not simply left in a trash dumpster, for instance, once a business 
no longer needs the information . 26 

FACTA also includes measures that will assist victims with their recovery. These 
provisions include: 

• Identity theft account blocking : 21 This provision requires credit reporting agen- 
cies immediately to cease reporting, or block, allegedly fraudulent account infor- 
mation on consumer reports when the consumer submits an identity theft re- 
port , 28 unless there is reason to believe the report is false. Blocking would miti- 
gate the harm to consumers’ credit records that can result from identity theft. 
Credit reporting agencies must also notify information furnishers who must 
then cease furnishing the fraudulent information and may not sell, transfer, or 
place for collection the debt resulting from the identity theft. 


17 Section 603(w) of the FCRA defines a “nationwide specialty consumer reporting agency” as 
a consumer reporting agency that compiles and maintains files on consumers relating to medical 
records or payments, residential or tenant history, check writing history, employment history, 
or insurance claims, on a nationwide basis. 15 U.S.C. § 1681a(w). 

18 See Free Annual File Disclosures, 16 C.F.R. §§610.1 and 698.1 (2004). 

19 Pub. L. No. 108-396, §112 (2003). 

20 The Commission is developing a rule on the duration of this active duty alert. See Related 
Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity 
Under the Fair Credit Reporting Act, 69 Fed. Reg. 23370, 23372 (April 28, 2004) (to be codified 
at 16 C.F.R. pt. 613). 

21 Pub. L. No. 108-396, §113 (2003). 

22 FACTA creates a phase-in period to allow for the replacement of existing equipment. 

23 Id. § 114. 

24 Id. §216. 

25 Disposal of Consumer Report Information and Records, 69 Fed. Reg. 21388 (April 20, 2004) 
(to be codified at 16 C.F.R. pt. 682). 

26 In its outreach materials, the FTC also advises consumers to shred any sensitive informa- 
tion before disposing of it. 

27 Pub. L. No. 108-396, §152 (2003). 

28 The Commission is developing a rule to define the term “identity theft report.” See Related 
Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity 
Under the Fair Credit Reporting Act, 69 Fed. Reg. 23370, 23371 (April 28, 2004) (to be codified 
at 16 C.F.R. pt. 603). 
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• Information available to victims: 29 A creditor or other business must give vic- 
tims copies of applications and business records relating to the theft of their 
identity at the victim’s request. This information can assist victims in proving 
that they are, in fact, victims. For example, they may be better able to prove 
that the signature on the application is not their signature. 

• Prevention of re-reporting fraudulent information: 30 Consumers can provide 
identity theft reports directly to creditors or other information furnishers to pre- 
vent them from continuing to furnish fraudulent information resulting from 
identity theft to the credit reporting agencies. 

When fully implemented, these provisions should help to reduce the incidence of 
identity theft, and help victims recover when the problem does occur. 

V. THE FEDERAL TRADE COMMISSION’S ROLE IN COMBATING IDEN- 
TITY THEFT 

The FTC’s role in combating identity theft derives from the 1998 Identity Theft 
Assumption and Deterrence Act (“the Identity Theft Act” or “the Act”). 31 The Iden- 
tity Theft Act strengthened the criminal laws governing identity theft 32 and focused 
on consumers as victims. 33 The Act directed the Federal Trade Commission to estab- 
lish the federal government’s central repository for identity theft complaints, to 
make available and to refer these complaints to law enforcement for their investiga- 
tions, and to provide victim assistance and consumer education. Thus, the FTC’s 
role under the Act is primarily one of facilitating information sharing among public 
and private entities. 34 

To fulfill the Act’s mandate, the Commission implemented a program that focuses 
on three principal components: (1) collecting complaints and providing victim assist- 
ance through a telephone hotline and a dedicated website, (2) maintaining and pro- 
moting the Clearinghouse, a centralized database of victim complaints that serves 
as an investigative tool for law enforcement, and (3) outreach and education to con- 
sumers, law enforcement, and private industry. 

A. Assisting Identity Theft Victims 

The Commission takes complaints from victims through a toll-free hotline, 1-877- 
ID THEFT (438-4338), 35 and a secure online complaint form on its website, 
www.consumer.gov/idtheft. In addition, the FTC provides advice on recovery from 
identity theft. Callers to the hotline receive telephone counseling from specially 
trained personnel who provide general information about identity theft and help 
guide victims through the steps needed to resolve the problems resulting from the 


29 Pub. L. No. 108-396, §151 (2003). 

30 Id. § 154. 

31 Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. § 1028). 

32 18 U.S.C. § 1028(a)(7) made identity theft a crime by focusing on the unlawful use of an 
individual’s “means of identification,” which broadly includes “any name or number that may 
be used, alone or in conjunction with any other information, to identify a specific individual,” 
including, among other things, name, address, social security number, driver’s license number, 
biometric data, access devices (i.e., credit cards), electronic identification number or routing code, 
and telecommunication identifying information. 

33 Because individual consumers’ financial liability is often limited, prior to the passage of the 
Act, financial institutions, rather than individuals, tended to be viewed as the primary victims 
of identity theft. Setting up an assistance process for consumer victims is consistent with one 
of the Act’s stated goals: to recognize the individual victims of identity theft. See S. Rep. No. 
105-274, at 4 (1998). 

34 Most identity theft cases are best addressed through criminal prosecution. The FTC itself 
has no direct criminal law enforcement authority. Under its civil law enforcement authority pro- 
vided by Section 5 of the FTC Act, the Commission may, in appropriate cases, bring actions to 
stop practices that involve or facilitate identity theft. See, e.g., FTC v. Corporate Marketing Solu- 
tions, Inc., CIV — 02 1256 PHX RCB (D. Ariz Feb. 3, 2003) (final order) (defendants “pretexted” 
personal information from consumers and engaged in unauthorized billing of consumers’ credit 
cards) and FTC v. C.J., CIV— 03 5275 GHK (RZx) (C. D. Cal. July 24, 2003) (final order); FTC 
v. Hill, CV-H— 03-5537 (S.D. Tex. Dec. 3, 2003) (final order); and FTC v. M.M., CV-04-2086 
(E.D. NY May 18, 2004) (final order) (defendants sent “phishing” spam purporting to come from 
AOL or Paypal and created look-alike websites to obtain credit card numbers and other financial 
data from consumers that defendants used for unauthorized online purchases.). In addition, the 
FTC brought six complaints against marketers for purporting to sell international driver’s per- 
mits that could be used to facilitate identity theft. Press Release, Federal Trade Commission, 
FTC Targets Sellers Who Deceptively Marketed International Driver’s Permits over the Internet 
and via Spam (Jan. 16, 2003) (at http://www.ftc.gov / opa / 2003 / 01 / idpfinal.htm). 

35 The Commission has a separate toll-free line (877-FTC-HELP) to serve those with general 
consumer protection complaints. 
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misuse of their identities. 36 Victims are currently advised to: 37 (1) obtain copies of 
their credit reports from the three national consumer reporting agencies and have 
a fraud alert placed on their credit reports; 38 (2) contact each of the creditors or 
service providers where the identity thief has established or accessed an account, 
to request that the account be closed and to dispute any associated charges; and (3) 
report the identity theft to the police and get a police report, which is very helpful 
in demonstrating to would-be creditors and debt collectors that the consumers are 
genuine victims of identity theft. 

Counselors also advise victims having particular problems about their rights 
under relevant consumer credit laws including the FCRA, 39 the Fair Credit Billing 
Act, 40 the Truth in Lending Act, 41 and the Fair Debt Collection Practices Act. 42 If 
another federal agency can assist victims because the nature of the victims’ identity 
theft falls within such agency’s jurisdiction, callers also are referred to those agen- 
cies. 

The FTC’s identity theft website, located at www.consumer.gov/idtheft, provides 
equivalent service for those who prefer the immediacy of an online interaction. The 
site contains a secure complaint form, which allows victims to enter their identity 
theft information into the Clearinghouse. Victims also immediately can read and 
download all of the resources necessary for reclaiming their credit record and good 
name, including the FTC’s tremendously successful consumer education booklet, 
Identity Theft: When Bad Things Happen to Your Good Name.* 3 The 26-page book- 
let, now in its fourth edition, comprehensively covers a range of topics, including the 
first steps to take for victims and how to correct more intensive credit-related prob- 
lems that may result from identity theft. It also describes other federal and state 
resources that are available to victims who may be having particular problems as 
a result of the identity theft. The FTC alone has distributed more than 1.3 million 
copies of the booklet since its release in February 2000, and recorded over 1.4 mil- 
lion visits to the Web version. 44 

B. The Identity Theft Data Clearinghouse 

One of the primary purposes of the Identity Theft Act was to enable criminal law 
enforcement agencies to use a single database of victim complaints to support their 
investigations. To ensure that the database operates as a national clearinghouse for 
complaints, the FTC accepts complaints from external sources such as other state 
or federal agencies as well as directly from consumers through its call center and 
online complaint form. For example, in February 2001, the Social Security Adminis- 
tration Office of Inspector General (SSA-OIG) began providing the FTC with com- 
plaints from its fraud hotline, significantly enriching the FTC’s database. 

The Clearinghouse provides a picture of the nature, prevalence, and trends of the 
identity theft victims who submit complaints. The Commission publishes annual 
charts showing the prevalence of identity theft complaints by states and by cities. 45 
Law enforcement and policy makers at all levels of government use these reports 
to better understand the challenges identity theft presents. 

Since the inception of the Clearinghouse in July of 2000, more than 970 law en- 
forcement agencies, from the federal to the local level, have signed up for secure on- 
line access to the database. Individual investigators within those agencies have the 
ability to access the system from their desktop computers 24 hours a day, seven 
days a week. 

The Commission actively encourages even greater use of the Clearinghouse. Be- 
ginning in 2002, in an effort to further expand the use of the Clearinghouse among 


36 Spanish speaking counselors are available for callers who select the Spanish-language op- 
tion on the toll-free line. 

37 As the relevant provisions of FACTA become effective, the Commission will update its ad- 
vice to victims on their new rights and procedures for recovery. 

38 These fraud alerts indicate that the consumer is to be contacted before new credit is issued 
in that consumer’s name. 

39 15 U.S.C. § 1681 et seq. 

40 Id. § 1666. The Fair Credit Billing Act generally applies to “open end” credit accounts, such 
as credit cards, revolving charge accounts, and overdraft checking accounts. It does not cover 
installment contracts, such as loans or extensions of credit that are repaid on a fixed schedule. 

41 Id. § 1601 et seq. 

42 Id. § 1692 et seq. 

43 Identity Theft: When Bad Things Happen to Your Good Name and the secure complaint form 
are available in Spanish. 

44 Other government agencies, including the Social Security Administration, the SEC, and the 
FDIC also have printed and distributed copies of Identity Theft: When Bad Things Happen to 
Your Good Name. 

45 Charts that summarize data from the Clearinghouse can be found at http:// 
www.consumer.gov/idtheft/stats.html and http://www.consumer.gov/sentinel/index.html. 
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law enforcement, the FTC, in cooperation with the Department of Justice, the 
United States Postal Inspection Service, and the United States Secret Service, initi- 
ated full day identity theft training seminars for state and local law enforcement 
officers. To date, seminars have been held in Washington, D.C., Des Moines, Chi- 
cago, San Francisco, Las Vegas, Dallas, Phoenix, New York City, Seattle, San Anto- 
nio, Orlando, and Raleigh. The FTC also helped the Kansas and Missouri offices of 
the U.S. Attorney and State Attorney General conduct a training seminar in Kansas 
City. More than 1500 officers have attended these seminars, representing more than 
600 different agencies. Future seminars are being planned for additional cities. 

The FTC staff also developed an identity theft case referral program. 46 The staff 
creates preliminary investigative reports by examining significant patterns of iden- 
tity theft activity in the Clearinghouse and refining the data through the use of ad- 
ditional investigative resources. Then the staff refers the investigative reports to ap- 
propriate Financial Crimes Task Forces and other law enforcers throughout the 
country for further investigation and potential prosecution. The FTC is aided in this 
work by its federal law enforcement partners including the United States Secret 
Service, the Federal Bureau of Investigation, and the United States Postal Inspec- 
tion Service who provide staff and other resources. Recently, an FBI analyst has 
worked intensively with the Clearinghouse complaints, using sophisticated analyt- 
ical software to find related complaints and combine the information with other data 
sources available to the FBI. 

C. Outreach and Education 

The Identity Theft Act also directed the FTC to educate consumers about identity 
theft. Recognizing that law enforcement and private industry each play an impor- 
tant role in helping consumers both to minimize their risk and to recover from iden- 
tity theft, the FTC expanded its outreach and education mission to include these 
sectors. 

(1) Consumers: The FTC has taken the lead in the development and dissemi- 
nation of comprehensive consumer education materials for victims of identity 
theft and those concerned with preventing this crime. The FTC’s extensive con- 
sumer and business education campaign includes print and online materials, 
media mailings, and radio and television interviews. The FTC also maintains 
the identity theft website, www.consumer.gov/idtheft, which includes the publi- 
cations and links to testimony, reports, press releases, identity theft-related 
state laws, and other resources. 

To increase awareness for the average consumer and provide tips for mini- 
mizing the risk of identity theft, the FTC developed a new primer on identity 
theft, ID Theft: What’s It All About ?. 47 Taken together with the detailed victim 
recovery guide, Identity Theft: When Bad Things Happen to Your Good Name, 
the two publications help to educate consumers. 

(2) Law Enforcement: Because law enforcement at the state and local level 
can provide significant practical assistance to victims, the FTC places a pre- 
mium on outreach to such agencies. In addition to the training described pre- 
viously (see infra Section V.B), the staff joined with North Carolina’s Attorney 
General Roy Cooper to send letters to every other Attorney General about the 
FTC’s identity theft program and how each Attorney General could use the re- 
sources of the program to better assist residents of his or her state. Other out- 
reach initiatives include: (i) Participation in a “Roll Call” video produced by the 
Secret Service, which has been sent to thousands of law enforcement depart- 
ments across the country to instruct officers on identity theft, investigative re- 
sources, and assisting victims; and (ii) the redesign of the FTC’s website to in- 
clude a section for law enforcement with tips on how to help victims as well 
as resources for investigations. 

(3) Industry: The private sector can help with the problem of identity theft 
in several ways. From prevention through better security and authentication, 
to helping victims recover, businesses play a key role in reducing the impact 
of identity theft. 

(a) Information Security Breaches: The FTC works with institutions that 
maintain personal information to identify ways to help keep that information 
safe from identity theft. 48 In 2002, the FTC invited representatives from fi- 


46 The referral program complements the regular use of the database by all law enforcers from 
their desktop computers. 

47 Since its release in May 2003, the FTC has distributed almost 554,000 paper copies and 
over 75,000 web versions, and developed a Spanish version. 

48 The Commission also has law enforcement authority relating to information security. In ad- 
dition to developing the Disposal Rule pursuant to FACTA, see supra Section IV, the Commis- 
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nancial institutions, credit issuers, universities, and retailers to an informal 
roundtable discussion of how to prevent unauthorized access to personal infor- 
mation in employee and customer records. 

As awareness of the FTC’s role in identity theft has grown, businesses and 
organizations that have suffered compromises of personal information have 
begun to contact the FTC for assistance. 49 To provide standardized assistance 
in these types of cases, the FTC developed a kit, Information Compromise and 
the Risk of Identity Theft: Guidance for Your Business, that is available on 
the identity theft website.The kit provides advice on contacting consumers, 
law enforcement agencies, business contact information for the three major 
credit reporting agencies, information about contacting the FTC for assist- 
ance, and a detailed explanation of what information individuals need to 
know to protect themselves from identity theft. 

(b) Victim Assistance: Identity theft victims may spend substantial time and 
effort restoring their good names and financial records. As a result, the FTC 
devotes substantial resources to conducting outreach with the private sector 
on ways to improve victim assistance procedures. One such initiative arose 
from the burdensome requirement that victims complete a different fraud affi- 
davit for each different creditor with whom the identity thief had opened an 
account. 50 To reduce that burden, the FTC worked with industry and con- 
sumer advocates to create a standard form for victims to use in resolving 
identity theft debts. From its release in August 2001 through April 2004, the 
FTC has distributed more than 293,000 print copies of the ID Theft Affidavit. 
There have also been nearly 557,000 hits to the Web version. The affidavit 
is available in both English and Spanish. 

VI. CONCLUSION 

Identity theft places substantial costs on individuals and businesses. The Commis- 
sion looks forward to working with businesses on better ways for them to protect 
the valuable information of consumers with which they are entrusted as well as 
other means of preventing identity theft. The Commission anticipates that as the 
new provisions of FACTA take effect, they will further help to reduce identity theft 
as well as its impact on victims. 


Chairman SHAW. Thank you, Mr. Beales, and we appreciate 
your time that you are able to spend with us. Mr. O’Carroll. 

STATEMENT OF PATRICK P. O’CARROLL, ACTING INSPECTOR 
GENERAL, SOCIAL SECURITY ADMINISTRATION 

Mr. O’CARROLL. Good morning, Mr. Chairman, Mr. Cardin, and 
Members of this Committee. Thank you for inviting me here today 
to discuss SSN misuse and H.R. 2971. As we were all paying our 
respects to President Ronald Reagan last week, I couldn’t help re- 


sion also is responsible for enforcing its GLBA Safeguards Rule, which requires financial institu- 
tions under the FTC’s jurisdiction to develop and implement appropriate physical, technical, and 
procedural safeguards to protect customer information. FTC Safeguards Rule, 16 C.F.R. §314.1 
(2002). In brief, the Safeguards Rule requires financial institutions to develop a written informa- 
tion security plan that includes certain elements that are basic to security. 

In the past few years, the FTC has also brought enforcement actions against four companies 
that the Commission alleged made false promises about securing sensitive consumer informa- 
tion, in violation of Section 5 of the FTC Act. 15 U.S.C. § 45(a) These actions resulted in settle- 
ments with those companies that collected sensitive information from consumers while making 
such promises. Those actions arise out of the Commission’s finding that these companies’ secu- 
rity measures were inadequate and their information security claims therefore were deceptive. 
See, e.g., In re Microsoft Corp., FTC Dkt. C— 4069, Final Decision and Order available at http:// 
www.ftc.gov/os/2002/12/microsoftdecision.pdf (Dec. 20, 2002). 

49 See, e.g. the incidents involving TriWest (Adam Clymer, Officials Say Troops Risk Identity 
Theft After Burglary, N.Y. Times, Jan. 12, 2003, § 1 (Late Edition), at 12) and Ford/Experian 
(Kathy M. Kristof and John J. Goldman, 3 Charged in Identity Theft Case, LA Times, Nov. 6, 
2002, Main News, Part 1 (Home Edition), at 1). 

50 See ID Theft: When Bad Things Happen to Your Good Name: Hearing Before the Subcomm. 
on Technology, Terrorism and Government Information of the Senate Judiciary Comm. 106 th 
Cong. (2000) (statement of Mrs. Maureen Mitchell, Identity Theft Victim). 
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calling that his signing of the Inspector General Act made our work 
possible. 

It is because the SSN is so heavily relied upon as an identifier, 
it is a valuable commodity for lawbreakers. I will focus today on 
SSN misuse, homeland security and identity theft, and what more 
needs to be done to insure the integrity of the SSN. While financial 
crimes involving SSN misuse are more numerous than terrorism- 
related crimes, the potential threat to homeland security neverthe- 
less justifies intense concern. Our primary mission is to protect the 
integrity of SSA programs and operations, and because of that we 
focus investigative efforts on cases affecting SSN integrity. We in- 
vestigate and arrest suspects for fraud against Social Security pro- 
grams and crimes involving SSN misuse. 

In our homeland security and identity theft responsibility, we 
work closely with other Federal agencies participating in 63 joint 
terrorism task forces and 29 antiterrorism advisory councils. We 
recently met with the U.S. Department of Homeland Security to 
discuss methods in which we could work together to address the 
SSN’s critical role at critical infrastructure sites. We have begun 
staffing an SSN Integrity Protection Team that combines the tal- 
ents of auditors, investigators and attorneys. 

My office is working closely with this Subcommittee and the SSA 
to strengthen controls over enumeration, to ensure the integrity of 
identification documents and to make SSN fraud as difficult as pos- 
sible. Together with you and with SSA, we have made important 
strides in reducing enumeration vulnerabilities. Still, we believe 
the SSA should implement the following changes: establish a rea- 
sonable threshold for the number of replacement SSN cards an in- 
dividual may obtain during a year and over a lifetime to continue 
to address identified weaknesses within the information security 
environment; verify birth records before issuing SSNs to citizens 
under the age of 1; and to incorporate additional controls in the 
SSA’s Enumeration-at -Birth process. 

We have conducted numerous audits and made extensive rec- 
ommendations to the SSA to improve the SSN misuse problem in 
the earnings reporting area, and, most importantly, to improve con- 
trols over SSN misuse as it pertains to homeland security. We be- 
lieve SSA and lawmakers should examine the feasibility of the fol- 
lowing initiatives: to limit public SSN availability to the greatest 
extent practicable without unduly limiting commerce; to enact 
strong enforcement mechanisms and stiffer penalties for SSN mis- 
use; cross-verify legitimate databases that use the SSA as a key 
data element; and review the implications of releasing information 
on deceased individuals. 

We believe new legislation should prohibit the sale of SSNs, in- 
cluding one’s own, on the open markets; to limit the use of the SSN 
to appropriate and legitimate transactions; and to prohibit using 
SSNs as student or patient identification numbers or as part of car 
rental contracts or video rentals; and to enhance penalties for those 
few SSA employees who assist criminals in obtaining SSNs. We 
support legislation such as H.R. 2971, which severely limits the 
sale, purchase, and display of SSNs to the general public. We also 
believe legislation such as H.R. 1731, the Identity Theft Penalty 
Enhancement Act, is a significant step toward holding accountable 
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individuals who misuse SSNs to commit egregious crimes. Over the 
past years we have made progress protecting SSN integrity. We 
stand ready to do more. I would now be happy to answer any ques- 
tions you may have. Thank you. 

[The prepared statement of Mr. O’Carroll follows:] 

Statement of Patrick P. O’Carroll, Acting Inspector General, Social Security 

Administration 

Good Morning, Mr. Chairman, Mr. Matsui, and members of the Subcommittee. 
Let me first thank you for the invitation to be here today for this important hearing 
to discuss the pervasive problem of Social Security number (SSN) misuse and the 
Committee’s proposed legislation to protect the privacy of SSNs, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2003 (H.R. 2971). 

The SSN as a National Identifier 

I would like to begin my testimony today with a simple declaration: The SSN is 
a national identifier. In past years, many would challenge that statement. Today, 
we live in a changed world, and the SSN’s role as a national identifier is a recog- 
nized fact. Unfortunately, with that knowledge, we must also accept that because 
the SSN is so heavily relied upon as an identifier, it is a valuable commodity for 
lawbreakers. Given the importance of this unique, nine-digit number and the tre- 
mendous risk associated with its misuse, one of the most important responsibilities 
my office undertakes each day is oversight of SSN integrity. Today I would like to 
focus my testimony on how the SSN is misused to commit crimes, my office’s role 
in addressing homeland security and identity theft and what more needs to be done 
to ensure the integrity of the SSN. 

Misuse of the SSN to Commit Crimes 

While financial crimes involving SSN misuse are more numerous than terrorism- 
related crimes, the potential threat to homeland security nevertheless justifies in- 
tense concern. An SSN allows an individual to assimilate themselves into U.S. soci- 
ety. SSNs, therefore, become valuable tools for terrorists or others who wish to live 
in the United States and operate under the “radar screen.” Such individuals may 
obtain SSNs by purchasing them, creating them, stealing them, utilizing the SSN 
of a deceased individual or obtaining them from SSA directly through the use of fal- 
sified documents. Once an individual has an SSN, he has the ability to work, buy 
a home, and engage in a wide range of financial transactions including the raising 
and transferring of funds. 

I am also concerned about the escalating occurrences of identity theft, which is 
the fastest-growing form of white-collar crime in the United States. In September 
2003, the Federal Trade Commission (FTC) released a survey showing that 27.3 mil- 
lion Americans were victims of identity theft between 1998 and 2003 — including 9.9 
million people in the study’s final year. FTC also reported that during the study’s 
final year, losses to businesses and financial institutions totaled nearly $48 billion 
and consumer victims reported $5 billion in out-of-pocket expenses. Clearly, this is 
an epidemic that must be brought under control. 

Identity theft is an “enabling” crime, one that facilitates other types of crime, 
ranging from passing bad checks and defrauding credit card companies to commit- 
ting acts of terrorism. Additionally, criminals use identity theft to defraud Federal 
agencies and programs of millions of dollars. 

For example, based on an investigation conducted by our Atlanta Field Division, 
a St. Petersburg, Florida resident was recently sentenced to 27 months of incarcer- 
ation and ordered to make restitution to SSA for over $79,000 in survivors benefits 
she received for herself and three nonexistent children. To perpetrate this scheme, 
the individual assumed the identity of a former acquaintance by obtaining a North 
Carolina identification card in her friend’s name. With this new identity, she used 
fraudulent birth certificates to apply for SSNs on behalf of two fictitious children. 
She also altered court marriage and divorce documents, falsely claiming that a 
known deceased man was her ex-husband and the fictitious children’s father. She 
perpetrated this elaborate scheme so that she could apply for and receive Social Se- 
curity survivors benefits for the fictitious children — and, until caught, was success- 
ful in doing so. Further investigation revealed that she had previously committed 
a similar crime resulting in additional survivors benefits for herself and another fic- 
titious child. 

Other Federal agencies such as the Department of Housing and Urban Develop- 
ment (HUD) have also experienced a significant increase in the number of identity 
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theft occurrences in their programs. Within programs administered by HUD, iden- 
tity thieves are using someone else’s SSN to obtain and then default on home mort- 
gages — leaving taxpayers to pay their bills. 

For those with an illicit motive, an SSN can be obtained in many ways: 

• Presenting false documentation to SSA. 

• Stealing another person’s SSN. 

• Purchasing an SSN on the black market. 

• Using the SSN of a deceased individual. 

• Creating a nine-digit number out of thin air. 

Although SSA may never be able to completely prevent individuals from pur- 
chasing an SSN on the black market or stealing the SSN of another, we are proud 
that our efforts are making it more difficult to do so. 

Our Role in Addressing Homeland Security and Identity Theft 

Recognizing the importance of SSNs to terrorists and identity thieves, SSA and 
the OIG take very seriously our responsibility to ensure that these numbers are 
only issued to those with a legal reason for having one. As such, we continuously 
seek innovative ways to prevent SSN misuse and create collaborative partnerships 
with other Federal, State, and local entities to address both homeland security and 
identity theft concerns. 

OIG Homeland Security Activities: 

Our active involvement in addressing homeland security began on September 11, 
2001, with our agents assisting in rescue efforts and site security at the World 
Trade Center. We immediately assigned supervisors and agents to the FBI Com- 
mand Centers in New York City and New Jersey to process information and inves- 
tigate leads. The Inspector General ordered all Field Divisions to assist in Joint Ter- 
rorism Task Forces (JTTF) and Anti-Terrorism Task Forces (ATTF) around the 
country — in fact, we are now active participants in 63 Joint Terrorism Task Forces 
and 29 Anti-Terrorism Task Forces, as well as the Foreign Terrorist Tracking Task 
Force. 

While participating in these task forces, our agents have assisted in better secur- 
ing many of our Nation’s airports and nuclear facilities by ensuring that employees 
and individuals having access to secure areas within these locations are working 
under their true names and SSNs. Further, as part of its anti-terrorism activities 
in the Buffalo area, our New York Field Division investigated six men from neigh- 
boring Lackawanna suspected of terrorist-related activities. Our investigators deter- 
mined the identities of the “Lackawanna Six” and their attendance and participa- 
tion in an al Qaeda terrorist training camp in Afghanistan. One suspect had two 
Social Security cards in his possession at the time of his arrest. All six suspects 
pleaded guilty to providing material support or resources to designated foreign ter- 
rorist organizations and received sentences of 7 to 10 years in prison. 

In carrying out our homeland security responsibility, we coordinate closely with 
other Federal agencies. For example, we recently met with representatives of the 
Department of Homeland Security (DHS) to discuss methods in which we could 
work together to address the SSN’s role in homeland security. We welcome this op- 
portunity and believe cooperative ventures such as these are imperative to ensure 
that all of the links in the homeland security chain stay connected. Based on our 
initial discussions, we plan to work with DHS to explore possible data matching and 
cross-verification opportunities — those that are currently provided for under law and 
those for which additional legislation may be required. 

OIG Identity Theft Activities: 

By law and by mission, our office has a narrow but important role in the overall 
effort to address identity theft. Much of the Federal government’s response to iden- 
tity theft issues rightly belongs to the FTC. State and local law enforcement agen- 
cies and financial institutions also have critical roles to play. 

Because our primary mission is to protect the integrity of SSA’s programs and op- 
erations, in the majority of our identity theft investigations, we continue to focus 
investigative efforts on cases that affect SSN integrity. For example, our Chicago 
Field Division took part in a 3-day inter-agency undercover operation that resulted 
in the arrest of 12 suspects dealing in fraudulently obtained Social Security cards, 
State driver’s licenses, and U.S. passports. Our investigators determined that the 
group’s leader and 11 others took part in an elaborate document-counterfeiting 
scheme to obtain valid SSNs for non-existent children. The names belonged to un- 
documented noncitizens who paid up to $5,000 each for valid documents. Members 
of the group were sentenced to up to 2 years in prison or given immunity from pros- 
ecution for their cooperation in the undercover sting. 
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To maximize our investigative resources, we dedicate agents that work on task 
forces with other law enforcement agencies nationwide to investigate identity 
crimes. We also work closely with prosecutors to bundle SSN misuse cases that, 
when presented separately, may not have been accepted for prosecution. 

We are also continuing our efforts to identify opportunities for SSA to further 
strengthen the integrity of the SSN. One of my major concerns has been the use 
of fraudulent documents to obtain SSNs. In an August 2002 audit, we estimated 
that during FY 2000, SSA assigned at least 63,000 SSNs to noncitizens based on 
invalid immigration documents that SSA processes did not detect. Based on our rec- 
ommendation, SSA improved its controls in this area and now verifies all immigra- 
tion documents presented by noncitizens with the issuing agency before assigning 
an SSN. We believe SSA’s decision to adopt our recommendation was laudable and 
significantly reduced the circumstances under which an unauthorized noncitizen 
may obtain a legitimate SSN from the Agency. We are currently examining the 
Agency’s compliance with this and other enumeration controls. Additionally, we con- 
tinue to explore and recommend further controls the Agency can implement to 
strengthen SSA’s important responsibility of assigning SSNs. 

SSN Integrity Protection Team: 

Protecting the integrity of the SSN has become a major part of the work we do. 
The President’s Fiscal Year 2004 Budget enabled us to begin staffing our SSN Integ- 
rity Protection Team to combat SSN misuse and identity theft. The Team is an inte- 
grated model that combines the talents of auditors, investigators and attorneys in 
a comprehensive approach, allowing SSA and OIG to: 

• Support Homeland Security. 

• Identify patterns and trends of SSN misuse. 

• Locate systemic weaknesses that contribute to SSN misuse such as in the enu- 
meration and earnings related processes. 

• Recommend legislative or other corrective actions to enhance the SSN’s integ- 
rity. 

• Pursue criminal and civil enforcement provisions for individuals misusing SSNs. 

Our SSN Integrity Protection Team will enable us to better target audit and in- 
vestigative work. The Team will participate with other Federal, State and local enti- 
ties to collaborate on potential SSN misuse activities. It is critical that we continue 
to receive funding in future budgets for this important initiative. 

SSA Initiatives to Address SSN Integrity: 

SSA has made significant progress in strengthening the defenses of the SSN, im- 
plementing important suggestions our office has made, and working with us to find 
solutions. In November 2001, the Commissioner of Social Security established an 
Enumeration Response Team (ERT) comprised of executives across the Agency, in- 
cluding representatives from the OIG. The Commissioner charged this group with 
identifying steps the Agency could take to improve the enumeration process and to 
enhance the integrity of the SSN. Since that time, the Commissioner and the ERT 
have implemented numerous policies and procedures designed to better ensure that 
only individuals authorized to do so, receive an SSN. For example, the ERT rec- 
ommended, and SSA adopted, more stringent circumstances under which an indi- 
vidual may obtain a nonwork SSN. We are proud to serve on workgroups such as 
these and applaud the Commissioner and SSA for its strong commitment to improv- 
ing SSN integrity. 

Prior to the ERT, the Agency implemented other initiatives such as the Com- 
prehensive Integrity Review Process (CIRP) and Enumeration at Entry process. The 
CIRP system identifies vulnerabilities in the enumeration process and issues alerts 
to SSA’s field offices (FO) to develop and certify. The FO reviewer, usually a man- 
ager or supervisor, performs an enumeration integrity review of each alert. If the 
reviewer determines that there is a possibility of fraud, the alert is forwarded to 
the OIG for development and disposition. 

The Enumeration at Entry initiative is a collaboration with the Department of 
Homeland Security (DHS) and the Department of State (DOS) to not only facilitate 
issuance of SSNs to legally admitted aliens whose immigration status permits such 
issuance, but it ensures through DHS and DOS certifications that the identity and 
immigration status of the alien is what is purported. 

What Actions Still Need to Be Taken to Address SSN Misuse 

Despite the significant progress SSA and Congress have made in recent years to 
address SSN misuse, we believe SSN integrity and protection still need improve- 
ment at three stages: at issuance, during the life of the number-holder, and fol- 
lowing the number-holder’s death. 



20 


At Stage One (issuance of the SSN), my office is doing more work than ever, work- 
ing closely with this Subcommittee and SSA to strengthen controls over the enu- 
meration process, ensure the integrity of identification documents, and make it as 
difficult as possible to fraudulently obtain an SSN from the Federal government. To- 
gether with you and with SSA, we have made important strides in reducing enu- 
meration vulnerabilities, and that effort continues. Still, to strengthen our defenses 
even further, we believe SSA should implement the following changes. 

• Establish a reasonable threshold for the number of replacement SSN cards an 
individual may obtain during a year and over a lifetime. 

• Continue to address identified weaknesses within the enumeration process to 
better safeguard SSNs. 

• Verify the validity of birth records with the issuing State before issuing an SSN 
to U.S. citizens under age 1. 

• Work with State Bureaus of Vital Statistics to incorporate additional controls 
in SSA’s Enumeration-at-Birth program, such as periodically reconciling the 
number of SSNs assigned through the program to the number of births reported 
by participating hospitals. 

It is at Stages Two (during the life of the number holder) and Three (after the 
number holder’s death) where we have focused the majority of our efforts, and 
where we have made the most progress. In the last several years, we have con- 
ducted numerous audits and made extensive recommendations to SSA to improve 
the SSN misuse problem in the earnings reporting process, and most importantly, 
to improve controls over SSN misuse as it pertains specifically to Homeland Secu- 
rity. Nevertheless, to more completely address SSN integrity during the life of the 
number holder and following that number holder’s death, we believe SSA and law- 
makers should examine the feasibility of the following initiatives. 

• Limiting the SSN’s public availability to the greatest extent practicable, without 
unduly limiting commerce. 

• Prohibiting the sale of SSNs, prohibiting their display on public records, and 
limiting their use to legitimate transactions. 

• Enacting strong enforcement mechanisms and stiffer penalties to further dis- 
courage SSN misuse. 

• Cross-verifying all legitimate databases that use the SSN as a key data ele- 
ment. 

• Review the implications of releasing information on deceased individuals. 
Limiting the SSN’s Public Availability and Sale of the SSN 

Perhaps the most important step we can take in preventing SSN misuse is to 
limit the SSN’s easy availability. We believe legislation designed to protect the SSN 
must strictly limit the number’s availability on public documents. As long as crimi- 
nals can walk into the records room of a courthouse or local government building 
and walk out with names and SSNs culled from public records, it will be extremely 
difficult to reverse the trend. We believe effective legislation should also specifically 
prohibit the sale of SSNs — including one’s own SSN — on the open market. As long 
as criminals can buy a list of names and SSNs through an Internet auction, we will 
continue to be plagued by the consequences. 

To be fully effective, we also believe legislation must limit the use of the SSN to 
appropriate and valid transactions. The financial industry relies on the SSN, and 
no one is suggesting that we change the way legitimate business is conducted in 
the United States. But the use of the SSN as a student or patient identification 
number, as part of a car rental contract or to rent a video, must be curtailed. 

Congress enacted the Identity Theft and Assumption Deterrence Act in 1998, re- 
sponding to the growing epidemic of identity thefts by imposing criminal sanctions 
for those who create a false identity or misappropriate someone else’s. The Internet 
False Identification Prevention Act, adopted in 2000, closed a loophole left by the 
earlier legislation, enabling our office and other law enforcement organizations to 
pursue vendors who previously could sell counterfeit Social Security cards legally by 
maintaining the fiction that such cards were “novelties” rather than counterfeit doc- 
uments. More legislative tools are needed, and we have worked with Congress to 
identify legislation necessary to protect the integrity of the SSN. For example, the 
House is now considering H.R. 2971, the Social Security Number Privacy and Iden- 
tity Theft Prevention Act of 2003 , which would seriously restrict the use of SSNs in 
the private and public sector, and criminalize the sale of SSNs. 

Penalties 

The Identity Theft legislation I discussed earlier provides criminal penalties, but 
those penalties were designed for broader crimes involving Social Security cards 
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and/or SSNs, not for SSN misuse itself. We believe legislation should not only pro- 
vide criminal penalties in the Social Security Act, but also enhance penalties for 
those few SSA employees who betray the public trust and assist criminals in obtain- 
ing SSNs. 

For example, a former SSA Service Representative was sentenced to 3 years pro- 
bation and community service after pleading guilty to a bribery charge in connection 
with issuing 100 to 200 Social Security cards to illegal aliens. She received between 
$50 and $150 for each card. We believe it is critically important to send a strong 
message to SSA employees tempted to facilitate crimes against Agency programs by 
pursuing the maximum sentence possible. 

The House Committee on the Judiciary recently approved H.R. 1731, the Identity 
Theft Penalty Enhancement Act , which established enhanced penalties for aggra- 
vated identity theft. While increased criminal penalties are a welcomed addition to 
the arsenal available for use in combating identity theft, we also believe legislation 
should provide an administrative safety net in the form of Civil Monetary Penalties 
to allow for some form of relief when criminal prosecution is not available for SSN 
misuse and other Social Security-related crimes. 

Cross-verification 

Additionally, we strongly support cross-verification of SSNs through both govern- 
mental and private sector systems of records to identify and address inaccuracies. 
Our experience has shown that cross-verification can combat and limit the spread 
of false identification and SSN misuse. Further, we believe all law enforcement 
agencies should be provided the same SSN cross-verification capabilities currently 
granted to employers. In doing so, the law enforcement community would use data 
already available to the Federal, State and local governments and the financial sec- 
tor. 

Potentially, the rewards of cross-verification can be great, yet it would not require 
major expenditures of money or the creation of new offices or agencies. We believe 
legislation is needed to require mandatory cross-verification of identification data 
between governmental, financial and commercial holders of records and the SSA on 
a recurring basis. To offset SSA’s cost for providing such services, the Agency could 
charge a modest fee to commercial and financial entities. The technology to accom- 
plish these data matches and verifications exists now. Coupled with steps already 
underway by SSA to strengthen the integrity of its enumeration business process, 
cross-verification, once initiated, would be a critical step in combating the spread 
of identity fraud. 

Let me give you an example of an identity theft case in which cross-verification 
may have prevented a crime against a Federal government program, saving tax- 
payers $62,000. A Salt Lake City grandmother learned last year from one of my 
Denver Field Division agents that her SSN was used to purchase a $146,000 HUD 
home. This identity theft went undiscovered until the home went into foreclosure 
because the criminals used this grandmother’s SSN, but another name to purchase 
the home. Had HUD been allowed to verify the accuracy of the borrower’s name and 
SSN with SSA, HUD would have recognized the discrepancy and denied the loan. 
In this one case alone, the Government would have saved the thousands of program 
dollars HUD had to pay to foreclose and resell the property. Additionally, this elder- 
ly Salt Lake City grandmother would have been spared the time and expense of re- 
pairing her credit record. 

We believe cross-verification is one of the most important tools the Government 
and private sector can employ to reduce the instances of identity theft. We under- 
stand the important issue of consumer privacy that must be considered by Congress 
and others before allowing such data integrity matches. However, our ability to pre- 
vent these egregious crimes would be enhanced by additional legislation balancing 
the need for consumer privacy with the need for accurate identifying information. 

Conclusion 

We always appreciate the invitation to speak with this committee and the very 
important work you do to help ensure the integrity of SSA programs and the SSN. 
We are very pleased with the progress Congress and SSA have made in addressing 
the issue of SSN integrity over the last several years. However, we reiterate our 
concern that more must be done to ensure that only those individuals authorized 
to have an SSN receive one and that anyone who fraudulently obtains and misuses 
an SSN is adequately penalized. As such, we support legislation such as H.R. 2971, 
the Social Security Number Privacy and Identity Theft Prevention Act of 2003, which 
severely limits the sale, purchase and display of SSNs to the general public. We also 
believe legislation such as H.R. 1731, the Identity Theft Penalty Enhancement Act, 
is a significant step toward holding accountable individuals who misuse SSNs to 
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commit egregious crimes. We encourage this Committee and others in Congress to 
stay firm in your resolve to enact these two bills. 

We also ask that Congress consider other measures such as increased cross- 
verification among Government and private sector entities, Civil Monetary Penalties 
for SSN misuse and other Social Security-related crimes when criminal prosecution 
is not available, and stronger penalties for those few SSA employees that betray the 
public trust by selling SSNs. We will certainly continue our vigilance in addressing 
these issues and stand ready to do more to enhance the safety and well-being of 
all Americans. I would now be happy to answer any questions you may have. 


Chairman SHAW. Thank you. Ms. Bovbjerg. 

STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR OF EDU- 
CATION, WORKFORCE, AND INCOME SECURITY ISSUES, U.S. 

GENERAL ACCOUNTING OFFICE 

Ms. BOVBJERG. Thank you. Mr. Chairman, Members of the 
Subcommittee, good morning. I am pleased to be here today once 
again to discuss issues associated with the use and misuse of the 
SSN. The wide use of SSNs for non-Social Security purposes causes 
concern because these numbers, as these gentlemen have noted, 
are among the personal identifiers most often sought by identity 
thieves. 

Today I will present results of our completed and ongoing work 
on a variety of issues associated with the SSN. I would like to focus 
first on the private sector use of the SSN and the protections that 
companies apply, and then second on public sector uses and protec- 
tions. My testimony is based on reports we have prepared for you 
over the last several years, and on ongoing work that focuses more 
specifically on SSNs in public records. 

Let me speak first about the SSN in the private sector. We re- 
ported to you in January that companies use the SSN for a variety 
of purposes, only some of which are restricted by law. Consumer 
reporting agencies and health care organizations have come to rely 
on the SSN as an identifier in the course of doing their business, 
like assessing credit risk or tracking patient care. These businesses 
often obtain SSNs from the individuals seeking their services, and 
the re-disclosure of these SSNs to others is restricted by Federal 
law. 

Some businesses that function as information resellers aggregate 
information, including SSNs, from various sources for resale. They 
obtain data from public records like bankruptcy proceedings, tax 
liens and voter registration rolls, and from private compilations 
like phone books. These businesses then resell this information to 
a variety of customers. The resellers we contacted told us that they 
generally limit their services to customers who establish accounts 
with them and with whom they have contracts that restrict the ex- 
tent to which the data purchased can be re-disclosed. Many also 
say they truncate the SSN if they provide it at all. Indeed, Federal 
and State laws have apparently helped to control business display 
and distribution of personal information. 

At the Federal level, the Fair Credit Reporting Act (P.L. 91-508), 
Gramm-Leach-Bliley, Health Insurance Portability and Account- 
ability Act 1996 (HIPAA) (P.L. 104-191), among others, have con- 
trolled use, distribution and display of the SSN in specific indus- 
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tries. Several States, most notably California, have enacted laws 
restricting display and use of SSNs, and although limited to a par- 
ticular State, these restrictions have caused private companies to 
alter their policies, in some cases nationwide. No law, however, re- 
stricts use and display of the SSN in all industries, in all locations, 
leaving the potential for misuse where protections are inadequate. 

Let me now turn to the public sector. As we have reported pre- 
viously, Federal, States and county government agencies rely ex- 
tensively on the SSN to maintain records with unique identifiers 
and to maintain program integrity. Although government agencies 
told us of various steps they take to safeguard the SSNs they use, 
we found that key protections are not uniformly in place, and that 
individual SSNs are still displayed on key public documents such 
as the Medicare card. We also found that some Federal agencies 
and many State and county agencies maintain public records that 
contain SSNs. Public records are documents routinely made avail- 
able to the public for inspection, such as marriage licenses and 
property transactions. 

When we examined this issue 2 years ago, some public officials 
told us they were considering making such records available on 
their Web sites to enhance customer service. We expressed our con- 
cern then that such actions would create new opportunities for 
identity thieves to gather SSNs on a broad scale. We are currently 
conducting work for the Subcommittee to determine where and how 
SSNs most regularly appear in public records. Preliminary data 
suggest that SSNs most frequently appear in court records, land 
records, uniform commercial code filings, and professional licensing 
records. We are still analyzing the extent to which these records 
are available electronically. Interestingly, some of the government 
agencies we surveyed reported that although SSNs appeared in the 
public records they retain, they had no specific use for them. 

In conclusion, although SSNs are used for many beneficial pur- 
poses, the widespread use and retention of them in both the public 
and private sectors creates opportunities for identity theft. Al- 
though both government and private companies have strengthened 
their protections of personal data and have indeed reduced display 
of this information in the last several years, these actions are far 
from uniform and still leave troubling gaps. 

Reducing Americans’ vulnerability to SSN misuse will require 
finding the balance between the benefits of SSN use and the costs 
of improved and more consistent protection. We look forward to 
continuing to work with this Subcommittee to identify 
vulnerabilities and to devise adequate and cost-effective protec- 
tions, and hope that these will serve the millions of Americans with 
SSNs. Thank you. 

[The prepared statement of Ms. Bovbjerg follows:] 

Statement of Barbara D. Bovbjerg, Director of Education, Workforce, and 
Income Security Issues, U.S. General Accounting Office 

Mr. Chairman and Members of the Subcommittee: 

I am pleased to be here today to discuss private and public sector entities’ use 
of Social Security numbers (SSNs). Although the Social Security Administration 
(SSA) originally created SSNs as a means to track workers’ earnings and eligibility 
for Social Security benefits, over time the SSN has come to be used for a myriad 
of purposes; individuals are frequently asked to supply personal information, includ- 
ing their SSNs, to both public and private sector entities. In addition, individuals’ 
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SSNs can be found in a number of public sources such as records displayed to the 
public. Given the uniqueness and broad applicability of the SSN, many private and 
public sector entities rely extensively on the SSN sometimes as a way to accumulate 
and identify information for their databases, sometimes to comply with federal regu- 
lations, and other times for various business purposes. The potential for misuse of 
the SSN has raised questions about how private and public sector entities obtain, 
use, and protect SSNs. 

Although Congress has passed a number of laws to protect the security of per- 
sonal information, the continued use of and reliance on SSNs by both private and 
public sector entities underscores the importance of determining if appropriate safe- 
guards are in place to protect individuals’ private information or if enhanced protec- 
tion of individuals’ personal information is needed. Accordingly, you asked us to talk 
about how certain types of private and public sector entities obtain SSNs and what 
protections, if any, exist to govern their use. My remarks today will focus on describ- 
ing (1) how private sector entities obtain, use, and protect SSNs and (2) public sec- 
tor uses and protections. 

To determine how private sector entities obtain, use, and protect SSNs, we relied 
on our previous work that looked at how private sector entities obtain and use SSNs 
and the laws that limit disclosure of this use. 1 To determine how the public sector 
uses and protects SSNs, we also relied on our previous work that looked at the gov- 
ernment’s use and protection of SSNs. 2 We are currently conducting a survey of 
state and local agencies to determine the extent to which SSNs are displayed in 
public records, the types of records they are displayed in, and how those records are 
maintained. In addition, we are conducting structured interviews of federal agencies 
concerning the display of SSNs. 

In summary, entities such as information resellers, consumer reporting agencies 
(CRAs), and health care organizations routinely obtain SSNs from their business cli- 
ents and from public sources, such as marriage licenses, paternity determinations, 
and professional licenses. Businesses use SSNs for various purposes, such as to 
build databases, verify individuals’ identities, or match existing records. 3 Given the 
various types of services these companies offer, we found that all of these entities 
have come to rely on the SSN as an identifier, which they say helps them determine 
a person’s identity for the purpose of providing the services they offer. However, cer- 
tain federal laws have helped to limit the disclosures of personal information these 
private sector entities are allowed to make to their customers. Private sector entities 
are either subject to the laws directly, given the nature of their business, or indi- 
rectly, through their business clients who are subject to these laws. Some states 
have also enacted laws to restrict the private sector’s use of SSNs. However, such 
restrictions vary by state. 

Public sector entities also rely extensively on SSNs. These agencies often obtain 
SSNs for compliance with federal laws and regulations and for their own agencies’ 
purposes. We found that federal, state, and county government agencies rely exten- 
sively on the SSN to manage records, verify benefit eligibility, collect outstanding 
debt, conduct research and program evaluations, and verify information provided to 
state drivers’ licensing agencies. 4 Given that SSNs are often the identifier of choice 
among individuals seeking to create false identities, these agencies are taking steps 
to safeguard SSNs. Yet despite these actions, SSNs appear in records displayed to 
the public such as documents that record financial transactions or court documents. 
In our current work for this Subcommittee, we are looking at the storage, display, 
and protection of SSNs in public records. Our preliminary survey data show that 
the types of records mostly likely to contain SSNs and be made available to the gen- 
eral public by state government entities are court records, death records, Uniform 
Commercial Code (UCC) filings, and professional licensing records. In addition, our 
preliminary results show responding state offices reported over 35 instances where 
they had no specific use for collecting SSNs. In a previous report, we proposed that 
Congress consider developing a unified approach to safeguarding SSNs used in all 
levels of government and particularly those displayed in public records, and we con- 
tinue to believe that this approach has merit. 5 


iTJ.S. General Accounting Office, Social Security Numbers : Private Sector Entities Routinely 
Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04—11 (Wash- 
ington D.C.: January 22, 2004). 

2 See U.S. General Accounting Office, Social Security Numbers: Government Benefits from SSN 
Use but Could Provide Better Safeguards, GAO— 02-352 (Washington, D.C.: May 31, 2002). 

3 GAO-04-11 (Washington D.C.: January 2004). 

4 GAO-02-352 (Washington D.C.: May 2002). 

5 GAO-02-352 (Washington D.C.: May 2002). 
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Background 

The Social Security Act of 1935 authorized SSA to establish a record-keeping sys- 
tem to help manage the Social Security program, and this resulted in the creation 
of the SSN. Through a process known as enumeration, unique numbers are created 
for every person as a work and retirement benefit record for the Social Security pro- 
gram. SSA generally issues SSNs to most U.S. citizens, and SSNs are also available 
to noncitizens lawfully admitted to the United States with permission to work. SSA 
estimates that approximately 277 million individuals currently have SSNs. The SSN 
has become the identifier of choice for government agencies and private businesses, 
and thus it is used for a myriad of non-Social Security purposes. 

The growth in the use of SSNs is important to individual SSN holders because 
these numbers, along with names and birth certificates, are among the three per- 
sonal identifiers most often sought by identity thieves. 6 In addition, SSNs are used 
as breeder information to create additional false identification documents, such as 
drivers’ licenses. Recent statistics collected by federal agencies and CRAs indicate 
that the incidence of identity theft appears to be growing. 7 The Federal Trade Com- 
mission (FTC), the agency responsible for tracking identity theft, reported that con- 
sumer fraud and identity theft complaints grew from 404,000 in 2002 to 516,740 in 
2003. In 2003, consumers also reported losses from fraud of more than $437 million, 
up from $343 million in 2002. In addition, identity crime account for over 80 percent 
of SSN misuse allegations according to the SSA. Also, officials from two of the three 
national CRAs report an increase in the number of 7-year fraud alerts placed on 
consumer credit files, which they consider to be reliable indicators of the incidence 
of identity theft. 8 Law enforcement entities report that identity theft is almost al- 
ways a component of other crimes, such as bank fraud or credit card fraud, and may 
be prosecuted under the statutes covering those crimes. 

Private Sector entities Routinely Obtain and Use SSNs, and Certain Laws 
Affect The Disclosure of This Information 

Private sector entities such as information resellers, CRAs, and health care orga- 
nizations routinely obtain and use SSNs. 9 Such entities obtain the SSNs from var- 
ious public sources and their business clients wishing to use their services. We 
found that these entities usually use SSNs for various purposes, such as to build 
tools that verify an individual’s identity or match existing records. Certain federal 
laws have limited the disclosures private sector entities are allowed to make to their 
customers, and some states have also enacted laws to restrict the private sector’s 
use of SSNs. 

Private Sector Entities Obtain SSNs from Public and Private Sources and 
Use SSNs for Various Purposes 

Private sector entities such as information resellers, CRAs, and health care orga- 
nizations generally obtain SSNs from various public and private sources and use 
SSNs to help identify individuals. Of the various public sources available, large in- 
formation resellers told us they obtain SSNs from various records displayed to the 
public such as records of bankruptcies, tax liens, civil judgments, criminal histories, 
deaths, real estate ownership, driving histories, voter registrations, and professional 
licenses. Large information resellers said that they try to obtain SSNs from public 
sources where possible, and to the extent public record information is provided on 
the Internet, they are likely to obtain it from such sources. Some of these officials 
also told us that they have people that go to courthouses or other repositories to 
obtain hard copies of public records. Additionally, they obtain batch files of elec- 
tronic copies of all public records from some jurisdictions. 

Given the varied nature of SSN data found in public records, some reseller offi- 
cials said they are more likely to rely on receiving SSNs from their business clients 


6 United States Sentencing Commission, Identity Theft Final Alert (Washington, D.C.: Dec. 
15, 1999). 

7 U.S. General Accounting Office, Identity Theft: Prevalence and Cost Appear to he Growing, 
GAO-02-363 (Washington, D.C.: Mar. 1, 2002). 

8 A fraud alert is a warning that someone may be using the consumer’s personal information 
to fraudulently obtain credit. When a fraud alert is placed on a consumer’s credit card file, it 
advises credit grantors to conduct additional identity verification before granting credit. The 
three consumer reporting agencies offers fraud alerts that can vary from 2 to 7 years at the 
discretion of the individual. 

9 Information resellers, sometimes referred to as information brokers, are businesses that spe- 
cialize in amassing consumer information that includes SSNs for informational services. CRAs, 
also known as credit bureaus, are agencies that collect and sell information about the credit- 
worthiness of individuals. Health care organizations generally deliver their services through a 
coordinated system that includes health care providers and health plans, also referred to as 
health care insurers. 
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than they are from obtaining SSNs from public records. These entities obtain SSNs 
from their business clients, who provide SSNs in order to obtain a reseller’s services 
or products, such as background checks, employee screening, determining criminal 
histories, or searching for individuals. Large information resellers also obtain SSN 
information from private sources. In many cases such information was obtained 
through review of data where a customer has voluntarily supplied information re- 
sellers with information about himself or herself. In addition, large reseller officials 
said they also use their clients’ records in instances where the client has provided 
them with information. 

We also found that Internet-based resellers rely extensively on public sources and 
records displayed to the public. These resellers listed on their Web sites public infor- 
mation sources, such as newspapers, and various kinds of public record sources at 
the county, state, and national levels. During our investigation, we determined that 
once Internet-based resellers obtained an individual’s SSN they relied on informa- 
tion in public records to help verify the individual’s identity and amass information 
around the individual’s SSN. 

Like information resellers, CRAs also obtain SSNs from public and private 
sources as well as from their customers or the businesses that furnish data to them. 
CRA officials said that they obtain SSNs from public sources, such as bankruptcy 
records, a fact that is especially important in terms of determining that the correct 
individual has declared bankruptcy. CRA officials also told us that they obtain SSNs 
from other information resellers, especially those that specialize in obtaining infor- 
mation from public records. However, SSNs are more likely to be obtained from 
businesses that subscribe to their services, such as banks, insurance companies, 
mortgage companies, debt collection agencies, child support enforcement agencies, 
credit grantors, and employment screening companies. Individuals provide these 
businesses with their SSNs for reasons such as applying for credit, and these busi- 
nesses voluntarily report consumers’ charge and payment transactions, accompanied 
by SSNs, to CRAs. 

We found that health care organizations were less likely to rely on public sources 
for SSN data. Health care organizations obtain SSNs from individuals themselves 
and from companies that offer health care plans. For example, subscribers or policy- 
holders provide health care plans with their SSNs through their company or em- 
ployer group when they enroll in health care plans. In addition to health care plans, 
health care organizations include health care providers, such as hospitals. Such en- 
tities often collect SSNs as part of the process of obtaining information on insured 
people. However, health care officials said that, particularly with hospitals, the med- 
ical record number rather than the SSN is the primary identifier. 

Information resellers, CRAs, and health care organization officials all said that 
they use SSNs to verify an individual’s identity. Most of the officials we spoke to 
said that the SSN is the single most important identifier available, mainly because 
it is truly unique to an individual, unlike an individual’s name and address, which 
can often change over an individual’s lifetime. Large information resellers said that 
they generally use the SSN as an identity verification tool. Some of these entities 
have incorporated SSNs into their information technology, while others have incor- 
porated SSNs into their clients’ databases used for identity verification. For exam- 
ple, one large information reseller that specializes in information technology solu- 
tions has developed a customer verification data model that aids financial institu- 
tions in their compliance with some federal laws regarding “knowing your cus- 
tomer.” We also found that Internet-based information resellers use the SSN as a 
factor in determining an individual’s identity. We found these types of resellers to 
be more dependent on SSNs than the large information resellers, primarily because 
their focus is more related to providing investigative or background-type services to 
anyone willing to pay a fee. Most of the large information resellers officials we spoke 
to said that although they obtain the SSN from their business clients, the informa- 
tion they provide back to their customers rarely contains the SSN. Almost all of the 
officials we spoke to said that they provide their clients with a truncated SSN, an 
example of which would be xxx-xx-6789. 

CRAs use SSNs as the primary identifier of individuals, which enables them to 
match the information they receive from their business clients with the information 
stored in their databases on individuals. 10 Because these companies have various 
commercial, financial, and government agencies furnishing data to them, the SSN 


10 We found that CRAs and information resellers can sometimes be the same entity, a fact 
that blurs the distinction between the two types of businesses but does not affect the use of 
SSNs by these entities. Five of the six large information resellers we spoke to said they were 
also CRAs. Some CRA officials said that information reselling constituted as much as 40 percent 
of CRAs’ business. 
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is the primary factor that ensures that incoming data is matched correctly with an 
individual’s information on file. For example, CRA officials said they use several fac- 
tors to match incoming data with existing data, such as name, address, and finan- 
cial account information. If all of the incoming data, except the SSN, match with 
existing data, then the SSN will determine the correct person’s credit file. Given 
that people move, get married, and open new financial accounts, these officials said 
that it is hard to distinguish among individuals. Because the SSN is the one piece 
of information that remains constant, they said that it is the primary identifier that 
they use to match data. 

Health care organizations also use the SSN to help verify the identity of individ- 
uals. These organizations use SSNs, along with other information, such as name, 
address, and date of birth, as a factor in determining a member’s identity. Health 
care officials said that health care plans, in particular, use the SSN as the primary 
identifier of an individual, and it often becomes the customer’s insurance number. 
Health care officials said that they use SSNs for identification purposes, such as 
linking an individual’s name to an SSN to determine if premium payments have 
been made. They also use the SSN as an online services identifier, as an alternative 
policy identifier, and for phone-in identity verification. Health care organizations 
also use SSNs to tie family members together where family coverage is used, 11 to 
coordinate member benefits, and as a cross-check for pharmacy transactions. Health 
care industry association officials also said that SSNs are used for claims proc- 
essing, especially with regard to Medicare. According to these officials, under some 
Medicare programs, SSNs are how Medicare identifies benefits provided to an indi- 
vidual. 

Certain Laws Limit the Private Sectors’ Disclosure of Personal Information 
That Includes SSNs 

Certain federal and state laws have placed restrictions on certain private sector 
entities use and disclosure of consumers’ personal information that includes SSNs. 
Such laws include the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley 
Act (GLBA), the Drivers Privacy Protection Act (DPPA), and the Health Insurance 
Portability and Accountability Act (HIPAA). As shown in table 1, the laws either 
restrict the disclosures that entities such as information resellers, CRAs, and health 
care organizations are allowed to make to specific purposes or restrict whom they 
are allowed to give the information to. Moreover, as shown in table 1, these laws 
focus on limiting or restricting access to certain personal information and are not 
specifically focused on information resellers. See appendix I for more information on 
these laws. 

Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure of Personal 

Information 


Federal Laws 

Restrictions 

Fair Credit Reporting Act 

Limits access to credit data that includes SSNs to those 
who have a permissible purpose under the law. 

Gramm-Leach-Bliley Act 

Creates a new definition of personal information that in- 
cludes SSNs and limits when financial institutions may 
disclose the information to non-affiliated third parties. 

Drivers Privacy Protection Act 

Prohibits obtaining and disclosing SSNs and other personal 
information from a motor vehicle record except as ex- 
pressly permitted under the law. 

Health Insurance Portability 

Protects the privacy of health information that identifies an 

and Accountability Act 

individual (including by SSNs) and restricts health care 
organizations from disclosing such information to others 
without the patient’s consent. 


Source: GAO analysis. 


We reviewed selected legislative documents of 18 states and found that at least 
6 states have enacted their own legislation to restrict either the display or use of 
SSNs by the private sector. 12 Notably, in 2001, California enacted Senate Bill (SB) 


11 During the enrollment process, subscribers have a number of options, one of which is de- 
cided whether they would like single or family coverage. In cases where family coverage is cho- 
sen, the SSN is the key piece of information generally allowing the family members to be linked. 

12 On the basis of our interviews with private sector businesses and organizations, contacts 
with some state offices of attorney general, and identified state laws and legislative initiatives 

Continued 
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168, restricting private sector use of SSNs. Specifically, this law generally prohibits 
companies and persons from certain uses such as, posting or publicly displaying 
SSNs and printing SSNs on cards required to access the company’s products or serv- 
ices. Furthermore, in 2002, shortly after the enactment of SB 168, California’s Office 
of Privacy Protection published recommended practices for protecting the confiden- 
tiality of SSNs. These practices were to serve as guidelines to assist private and 
public sector organizations in handling SSNs. 

Similar to California’s law, Missouri’s law (2003 Mo. SB 61), which is not effective 
until July 1, 2006, bars companies from requiring individuals to transmit SSNs over 
the Internet without certain safety measures, such as encryption and passwords. 
However, while SB 61 prohibits a person or private entity from publicly posting or 
displaying an individual’s SSN “in any manner,” unlike California’s law, it does not 
specifically prohibit printing the SSN on cards required to gain access to products 
or services. In addition, Arizona’s law (2003 Ariz. Sess. Laws 137), effective January 
1, 2005, restricts the use of SSNs in ways very similar to California’s law. However, 
in addition to the private sector restrictions, it adds certain restrictions for state 
agencies and political subdivisions. 13 For example, state agencies and political sub- 
divisions are prohibited from printing an individual’s SSN on cards and certain 
mailings to the individual. Last, Texas prohibits the display of SSNs on all cards, 
while Georgia and Utah’s laws are directed at health insurers and, therefore, per- 
tain primarily to insurance identification cards. 14 None of these three laws contain 
the provisions mentioned above relating to Internet safety measures and mailing re- 
strictions. Table 2 lists states that have enacted legislation and related provisions. 


Table 2: Provisions Included in Enacted Legislation Reviewed 


Provision 

States Where Provision or Restriction Enacted 

Specifically prohibits display on cards 

Requires Internet safety measures 

Restricts mailing of SSNs 

AZ, CA, GA, TX, UT 

AZ, CA, MO 

AZ, CA 


Source: GAO analysis. 


Public Sector Entities Also Use SSNs and Some Agencies Limit Their Use 
and Display Even Though SSNs are Displayed in Some Public Records 

Agencies at all levels of government frequently obtain and use SSNs. A number 
of federal laws require government agencies to obtain SSNs, and these agencies use 
SSNs to administer their programs, verify applicants’ eligibility for services and 
benefits, and do research and evaluation. Given the potential for misuse, some gov- 
ernment agencies are taking steps to limit their use and display of SSNs and pre- 
vent the proliferation of false identities. However, given the open nature of certain 
government records, SSNs appear in some records displayed to the public. Our ongo- 
ing work is looking at the storage, display, and protection of SSNs in records dis- 
played to the public. 

Public Sector Entities Are Required by Laws and Regulations to Obtain 
SSNs for Various Purposes 

Government agencies obtain SSNs because a number of federal laws and regula- 
tions require certain programs and federally funded activities to use the SSN for 
administrative purposes. 15 Such laws and regulations require the use of the SSN 
as an individual’s identifier to facilitate automated exchanges that help administra- 
tors enforce compliance with federal laws, determine eligibility for benefits, or both. 
For example, the Internal Revenue Code and regulations, which govern the adminis- 
tration of the federal personal income tax program, require that individuals’ SSNs 
serve as taxpayer identification numbers. 16 A number of other federal laws require 


related to the use of SSNs, we did a legislative review of 18 states that were identified as having 
laws or proposed laws governing SSN use. In the 18 states we researched, we reviewed more 
than 40 legislative documents, including relevant laws, proposed laws, legislative summaries, 
and other related documents, such as state regulations, executive orders, and referendums. 

13 Political subdivisions would include counties, cities, and towns. 

14 Georgia’s law (O.C.G.A. § 33-24— 57.1(f)) and Utah’s law (Utah Code Ann. §31-22—634) are 
both effective July 1, 2004. However, Utah’s law provides certain extensions until March 1, 
2005. Texas’ law (2003 Tex. Gen. Laws 341) is effective March 1, 2005. 

15 U.S. General Accounting Office, Social Security Numbers: Government and Commercial Use 
of the Social Security Number is Widespread , GAO/HEHS— 99— 28 (Washington D.C.: February 
1999). 

16 This means that employers and others making payments to individuals must include the 
individuals’ SSNs in reporting to IRS many of these payments. In addition, the Code and regula- 
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program administrators to use SSNs in determining applicants’ eligibility for feder- 
ally funded benefits. The Social Security Act requires individuals to provide their 
SSNs in order to receive benefits under the SSI, Food Stamp, Temporary Assistance 
for Needy Families, and Medicaid programs. 17 In addition, the Commercial Motor 
Vehicle Safety Act of 1986 requires the use of SSNs to identify individuals and es- 
tablished the Commercial Driver’s License Information System, a nationwide data- 
base where states may use individuals’ SSNs to search the database for other state- 
issued licenses commercial drivers may hold. 18 Federal law also requires the use of 
SSNs in state child support programs to help states locate noncustodial parents, es- 
tablish and enforce support orders, and recoup state welfare payments from par- 
ents. 19 The law also allows states to record SSNs on many other state documents, 
such as professional, occupational, and marriage licenses; divorce decrees; paternity 
determinations; and death certificates, and to make SSNs associated with these doc- 
uments available for state child support agencies to use in locating and obtaining 
child support payments from noncustodial parents. 

Government agencies use SSNs for a variety of reasons. We found that most of 
these agencies use SSNs to administer their programs, such as to identify, retrieve, 
and update their records. In addition, many agencies also use SSNs to share infor- 
mation with other entities to bolster the integrity of the programs they administer. 
As unique identifiers, SSNs help ensure that the agency is obtaining or matching 
information on the correct person. 

Government agencies also share information containing SSNs for the purpose of 
verifying an applicant’s eligibility for services or benefits, such as matching records 
with state and local correctional facilities to identify individuals for whom the agen- 
cy should terminate benefit payments. SSNs are also used to ensure program integ- 
rity. Agencies use SSNs to collect delinquent debts and even share information for 
this purpose. In addition, SSNs are used for statistics, research, and evaluation. 
Agencies responsible for collecting and maintaining data for statistical programs 
that are required by statute, make use of SSNs. In some cases, these data are com- 
piled using information provided for another purpose. For example, the Bureau of 
the Census prepares annual population estimates for states and counties using indi- 
vidual income tax return data linked over time by SSN to determine immigration 
rates between localities. 20 SSNs also provide government agencies and others with 
an effective mechanism for linking data on program participation with data from 
other sources to help evaluate the outcomes or effectiveness of government pro- 
grams. In some cases, records containing SSNs are sometimes matched across mul- 
tiple agency or program databases. 21 

Finally, government agencies use employees’ SSNs to fulfill some of their respon- 
sibilities as employers. For example, personnel departments of these agencies use 
SSNs to help them maintain internal records and provide employee benefits. In ad- 
dition, employers are required by law to use employees’ SSNs when reporting wages. 
Wages are reported to SSA, and the agency uses this information to update earnings 
records it maintains for each individual. The Internal Revenue Service (IRS) also 
uses SSNs to match the employer wage reports with amounts individuals report on 
personal income tax returns. Federal law also requires that states maintain employ- 
ers’ reports of newly hired employees, identified by SSNs. States must forward this 
information to a national database that is used by state child support agencies to 
locate parents who are delinquent in child support payments. 


tions require individuals filing personal income tax returns to include their SSNs as their tax- 
payer identification number, the SSNs of people whom they claim as dependents, and the SSNs 
of spouses to whom they paid alimony. 

17 Applicants give program administrators information on their income and resources, and pro- 
gram administrators use applicants’ SSNs to match records with those of other organizations. 

18 States may also use SSNs to search another database, the National Driver’s Registry, to 
determine whether an applicant’s license has been cancelled, suspended, or revoked by another 
state. In these situations, the states use SSNs to limit the possibility of inappropriately licensing 
applicants. 

19 The law requires states to maintain records that include (1) SSNs for individuals who owe 
or are owed support for cases in which the state has ordered child support payments to be made, 
the state is providing support, or both, and (2) employers’ records of new hires identified by 
SSN. 

"The Bureau of the Census is authorized by statute to collect a variety of information, and 
the Bureau is also prohibited from making it available, except in certain circumstances. 

21 The statistical and research communities refer to the process of matching records containing 
SSNs for statistical or research purposes as “record linkage.” See U.S. General Accounting Of- 
fice, Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Infor- 
mation, GAO— 01— 126SP (Washington, D.C.: Apr. 2001). 
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Government Agencies Are Taking Steps to Limit the Use and Display of 
SSNs 

Despite the widespread use of SSNs at all levels of government, not all agencies 
use SSNs. We found that some agencies do not obtain, receive, or use SSNs of pro- 
gram participants, service recipients, or individual embers of the public. 22 Moreover, 
not all agencies use the SSN as their primary identification number for record-keep- 
ing purposes. These agencies maintain an alternative number that is used in addi- 
tion to or in lieu of SSNs for certain activities. 

Some agencies are also taking steps to limit SSNs displayed on documents that 
may be viewed by others who may not have a need to view this personal informa- 
tion. For example, the Social Security Administration has truncated individuals’ 
SSNs that appear on the approximately 120 million benefits statements it mails 
each year. Some states have also passed laws prohibiting the use of SSNs as a stu- 
dent identification number. Almost all states have modified their policies on placing 
SSNs on state drivers’ licenses. 

At the federal level, SSA has taken steps in its enumeration process and 
verification service to help prevent SSNs from being used to proliferate false identi- 
ties. SSA has formed a task force to address weaknesses in its enumeration process 
and has (1) increased document verifications and developed new initiatives to pre- 
vent the inappropriate assignment of SSNs to noncitizens, and (2) undertaken ini- 
tiatives to shift the burden of processing noncitizen applications from its field of- 
fices. 23 SSA also helps prevent the proliferation of false identities through its 
verification service, which allows state driver licensing agencies to verify the SSN, 
name, and date of birth of customers with SSA’s master file of Social Security 
records. 24 Finally, SSA has also acted to correct deficiencies in its information sys- 
tems’ internal controls. These changes were made in response to the findings of an 
independent audit that found that SSA’s systems were exposed to both internal and 
external intrusion, increasing the possibility that sensitive information such as 
SSNs could be subject to unauthorized access, modification, and disclosure, as well 
as the risk of fraud. 

Public Records Can Also Be a Source of SSNs 

Given the open nature of certain government records, SSNs appear in these 
records for a number of reasons. For example, SSNs may already be a part of a doc- 
ument that is submitted to a recorder for official preservation, such as veterans’ dis- 
charge papers. Documents that record financial transactions, such as tax liens and 
property settlements, also contain SSNs to help identify the correct individual. As 
previously stated, government officials are required by law to collect SSNs in nu- 
merous instances. Moreover, some state laws allow government entities to collect 
SSNs on voter registries to help avoid duplicate registrations. 

Courts at all three levels of government also collect and maintain records that are 
routinely made available to the public. Court records overall are presumed to be 
public. However, each court may have its own rules or practices governing the re- 
lease of information. SSNs appear in court documents for a variety of reasons. In 
many cases, SSNs are already a part of documents that are submitted by attorneys 
or individuals. These documents could be submitted as part of the evidence for a 
proceeding or could be included as part of a petition for an action, such as a judg- 
ment or a divorce. In other cases, courts include SSNs on documents they and other 
government officials create, such as criminal summonses, arrest warrants, and judg- 
ments, to increase the likelihood that the correct individual is affected (i.e., to avoid 
arresting the wrong John Smith). Again, in some cases, federal law requires that 
SSNs be placed in certain records that courts maintain, such as child support or- 
ders. 

In our prior report, we looked at the extent and nature of federal, state, and coun- 
ty governments’ use of SSNs when they are contained in public records, and the op- 
tions available to better safeguard SSNs that are found in these public records. 25 
Our findings led us to suggest that Congress consider addressing SSN security and 
display issues in state and local government and in public records, including those 
maintained by the judicial branch of government at all levels. We proposed that 


22 GAO— 02 — 352 (Washington D.C.: May 2002). 

23 See U.S. General Accounting Office, Social Security Administration: Actions Taken to 
Strengthen Procedures for Issuing Social Security Numbers to Noncitizens but Some Weakness 
Remain, GAO-04-12 (Washington D.C.: October 15, 2003). See U.S. General Accounting Office, 
Social Security Numbers: Improved SSN Verification and Exchange of States’ Driver Records 
Would Enhance Identity Verification , GAO— 03-920 (Washington D.C.: September 15, 2003). 

2 “ GAO-03-920 (Washington D.C.: September 2003). 

25 GAO-02-352 (Washington D.C.: May 2002) 
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Congress convene a representative group of officials from all levels of government 
to develop a unified approach to safeguard SSNs used in all levels of government 
and particularly those displayed in public records. 

At the request of this subcommittee, GAO was asked what types of public records 
SSNs are stored in, how are those records maintained, and to what extent SSNs 
are displayed inside those records. To do this work, we are surveying over 2,500 offi- 
cials in state and local government agencies, including officials in all 50 states and 
the District of Columbia, and are conducting structured interviews of federal agen- 
cies. Our preliminary survey data show that the types of records most likely to con- 
tain SSNs and be made available to the general public by state government entities 
are court records, death records, UCC filings, and professional licensing records. At 
the local level, court records and land records are those most often cited as con- 
taining SSNs and being available to the general public. Preliminary data analysis 
indicates that identity verification is the most frequently given reason by both state 
and local respondents for collecting or using SSNs that are in records available to 
the public. Data matching and complying with state laws or regulations are also fre- 
quently cited as reasons for the collection or use of the SSN. However, responding 
state offices reported over 35 instances where they had no specific use for collecting 
SSNs. 

Conclusions 

Public and private entities use SSNs for many legitimate and publicly beneficial 
purposes. However, the more frequently SSNs are obtained and used, the more like- 
ly they are to be misused. As we continue to learn more about the entities that ob- 
tain SSNs and the purposes for which they obtain them, Congress and state legisla- 
tures will be able to determine if there are ways to limit access to this valuable 
piece of information and prevent it from being misused. However, restrictions on ac- 
cess or use may make it more difficult for businesses and government agencies to 
verify an individual’s identity. Accordingly, policy makers will have to balance re- 
strictions on the use of SSNs on the one hand with legitimate needs for the use of 
SSNs on the other. 

Although individuals may choose to provide their SSNs to public and private sec- 
tor entities to obtain their services, individuals are often required to have their 
SSNs in records that may ultimately be displayed to the public. Such public display 
of personal information can create opportunities for identity crimes. Safeguarding 
SSNs in records displayed to the public offers an additional challenge because of the 
inherent tension between the nature of public records, that is, the need for trans- 
parency in government activities, and the need to protect individuals’ privacy. For 
this reason, in prior work, we recommended that Congress convene a representative 
group of officials to develop a unified approach to safeguard SSNs used in all levels 
of government and particularly those displayed in public records. We continue to be- 
lieve that this would be a useful step toward preventing SSN misuse while acknowl- 
edging the needs of various levels of government. 

At this subcommittee’s request, we are continuing work on SSNs and their pres- 
ence in public records and look forward to supporting continuing congressional con- 
sideration of these important policy issues. That concludes my testimony, and I 
would be pleased to respond to any questions the subcommittee has. 
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Appendix I: Federal Laws Affecting Information Resellers, CRAs, and Health Care 
Organizations: 

Gramm-Leach-Bliley Act (GLBA): 

GLBA requires companies to give consumers privacy notices that explain the in- 
stitutions’ information-sharing practices. In turn, consumers have the right to limit 
some, but not all, sharing of their nonpublic personal information. Financial institu- 
tions are permitted to disclose consumers’ nonpublic personal information without 
offering them an opt-out right in the following circumstances: 

• to effect a transaction requested by the consumer in connection with a financial 
product or service requested by the consumer; maintaining or servicing the con- 
sumer’s account with the financial institution or another entity as part of a pri- 
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vate label credit card program or other extension of credit; or a proposed or ac- 
tual securitization, secondary market sale, or similar transaction; 

• with the consent or at the direction of the consumer; 

• to protect the confidentiality or security of the consumer’s records; to prevent 
actual or potential fraud, for required institutional risk control or for resolving 
customer disputes or inquiries, to persons holding a legal or beneficial interest 
relating to the consumer, or to the consumer’s fiduciary; 

• to provide information to insurance rate advisory organizations, guaranty funds 
or agencies, rating agencies, industry standards agencies, and the institution’s 
attorneys, accountants, and auditors; 

• to the extent specifically permitted or required under other provisions of law 
and in accordance with the Right to Financial Privacy Act of 1978, to law en- 
forcement agencies, self-regulatory organizations, or for an investigation on a 
matter related to public safety; 

• to a consumer reporting agency in accordance with the Fair Credit Reporting 
Act or from a consumer report reported by a consumer reporting agency; 

• in connection with a proposed or actual sale, merger, transfer, or exchange of 
all or a portion of a business if the disclosure concerns solely consumers of such 
business; 

• to comply with federal, state, or local laws; an investigation or subpoena; or to 
respond to judicial process or government regulatory authorities. 

Financial institutions are required by GLBA to disclose to consumers at the initi- 
ation of a customer relationship, and annually thereafter, their privacy policies, in- 
cluding their policies with respect to sharing information with affiliates and non- 
affiliated third parties. 

Provisions under GLBA place limitations on financial institutions disclosure of 
customer data, thus affecting some CRAs and information resellers. We found that 
some CRAs consider themselves to be financial institutions under GLBA. 26 These 
entities are therefore directly governed by GLBA’s restrictions on disclosing non- 
public personal information to non-affiliated third parties. We also found that some 
of the information resellers we spoke to did not consider their companies to be fi- 
nancial institutions under GLBA. However, because they have financial institutions 
as their business clients, they complied with GLBA’s provisions in order to better 
serve their clients and ensure that their clients are in accordance with GLBA. For 
example, if information resellers received information from financial institutions, 
they could resell the information only to the extent that they were consistent with 
the privacy policy of the originating financial institution. 

Information resellers and CRAs also said that they protect the use of non-public 
personal information and do not provide such information to individuals or unau- 
thorized third parties. In addition to imposing obligations with respect to the disclo- 
sures of personal information, GLBA also requires federal agencies responsible for 
financial institutions to adopt appropriate standards for financial institutions relat- 
ing to safeguarding customer records and information. Information resellers and 
CRA officials said that they adhere to GLBA’s standards in order to secure financial 
institutions’ information. 

Drivers Privacy Protection Act (DPP A): 

The DPPA specifies a list of exceptions when personal information contained in 
a state motor vehicle record may be obtained and used (18 U.S.C. § 2721(b)). These 
permissible uses include: 

for use by any government agency in carrying out its functions; 

for use in connection with matters of motor vehicle or driver safety and theft; motor 
vehicle emissions; motor vehicle product alterations, recalls, or advisories; motor ve- 
hicle market research activities, including survey research; 

for use in the normal course of business by a legitimate business, but only to verify 
the accuracy of personal information submitted by the individual to the business 
and, if such information is not correct, to obtain the correct information but only 
for purposes of preventing fraud by pursuing legal remedies against, or recovering 
on a debt or security interest against, the individual; 

• for use in connection with any civil, criminal, administrative, or arbitral pro- 
ceeding in any federal, state, or local court or agency; 

• for use in research activities; 


26 Under GLBA, the term financial institution is defined as “any institution the business of 
which is engaging in financial activities as described in section 4(k) of the Bank Holding Com- 
pany Act of 1956,” which goes into more detail about what are “activities that are financial in 
nature.” These generally include banking, insurance, and investment industries. 
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• for use by any insurer or insurance support organization in connection with 
claims investigation activities; 

• for use in providing notice to the owners of towed or impounded vehicles; 

• for use by a private investigative agency for any purpose permitted under the 
DPPA; 

• for use by an employer or its agent or insurer to obtain information relating 
to the holder of a commercial driver’s license; 

• for use in connection with the operation of private toll transportation facilities; 

• for any other use, if the state has obtained the express consent of the person 
to whom a request for personal information pertains; 

• for bulk distribution of surveys, marketing, or solicitations, if the state has ob- 
tained the express consent of the person to whom such personal information 
pertains; 

• for use by any requester, if the requester demonstrates that it has obtained the 
written consent of the individual to whom the information pertains; 

• for any other use specifically authorized under a state law, if such use is related 
to the operation of a motor vehicle or public safety. 

As a result of DPPA, information resellers said they were restricted in their abil- 
ity to obtain SSNs and other driver license information from state motor vehicle of- 
fices unless they were doing so for a permissible purpose under the law. These offi- 
cials also said that information obtained from a consumer’s motor vehicle record has 
to be in compliance with DPPA’s permissible purposes, thereby restricting their abil- 
ity to resell motor vehicle information to individuals or entities not allowed to re- 
ceive such information under the law. Furthermore, because DPPA restricts state 
motor vehicle offices’ ability to disclose driver license information, which includes 
SSN data, information resellers said they no longer try to obtain SSNs from state 
motor vehicle offices, except for permissible purposes. 

Health Insurance Portability and Accountability Act (HIPAA): 

The HIPAA privacy rule also defines some rights and obligations for both covered 
entities and individual patients and health plan members. Some of the highlights 
are: 

• Individuals must give specific authorization before health care providers can 
use or disclose protected information in most nonroutine circumstances, such as 
releasing information to an employer or for use in marketing activities. 

• Covered entities will need to provide individuals with written notice of their pri- 
vacy practices and patients’ privacy rights. The notice will contain information 
that could be useful to individuals choosing a health plan, doctor, or other serv- 
ice provided. Patients will be generally asked to sign or otherwise acknowledge 
receipt of the privacy notice. 

Covered entities must obtain an individual’s specific authorization before sending 
them marketing materials. 

Health care organizations, including health care providers and health plan insur- 
ers, are subject to HIPAA’s requirements. In addition to providing individuals with 
privacy practices and notices, health care organizations are also restricted from dis- 
closing a patient’s health information without the patient’s consent, except for pur- 
poses of treatment, payment, or other health care operations. Information resellers 
and CRAs did not consider themselves to be “covered entities” under HIPAA, al- 
though some information resellers said that their customers are considered to be 
business associates under HIPAA. As a result, they said they are obligated to oper- 
ate under HIPAA’s standards for privacy protection, and therefore could not resell 
medical information without having made sure HIPAA’s privacy standards were 
met. 

Fair Credit Reporting Act (FCRA); 

Congress has limited the use of consumer reports to protect consumers’ privacy. 
All users must have a permissible purpose under the FCRA to obtain a consumer 
report (15 USC 1681b). These permissible purposes are: 

• as ordered by a court or a federal grand jury subpoena; 

• as instructed by the consumer in writing; 

• for the extension of credit as a result of an application from a consumer or the 
review or collection of a consumer’s account; 

• for employment purposes, including hiring and promotion decisions, where the 
consumer has given written permission; 

• for the underwriting of insurance as a result of an application from a consumer; 
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• when there is a legitimate business need, in connection with a business trans- 
action that is initiated by the consumer; 

• to review a consumer’s account to determine whether the consumer continues 
to meet the terms of the account; 

• to determine a consumer’s eligibility for a license or other benefit granted by 
a governmental instrumentality required by law to consider an applicant’s fi- 
nancial responsibility or status; 

• for use by a potential investor or servicer or current insurer in a valuation or 
assessment of the credit or prepayment risks associated with an existing credit 
obligation; and 

• for use by state and local officials in connection with the determination of child 
support payments, or modifications and enforcement thereof. 

Under FCRA, Congress has limited the use of consumer reports 27 to protect con- 
sumers’ privacy and limits access to credit data to those who have a legally permis- 
sible purpose for using the data, such as the extension of credit, employment pur- 
poses, or underwriting insurance. However, these limits are not specific to SSNs. All 
of the CRAs that we spoke to said that they are considered consumer reporting 
agencies under FCRA. In addition, some of the information resellers we spoke to 
who handle or maintain consumer reports are classified as CRAs under FCRA. Both 
CRAs and information resellers said that as a result of FCRAs restrictions they are 
limited to providing credit data to their customers that have a permissible purpose 
under FCRA. Consequently, they are restricted by law from providing such informa- 
tion to the general public. 


Chairman SHAW. Thank you very much. Mr. Maxwell. 

STATEMENT OF LAWRENCE E. MAXWELL, ASSISTANT CHIEF 

INSPECTOR, INVESTIGATIONS AND SECURITY, UNITED 

STATES POSTAL INSPECTION SERVICE 

Mr. MAXWELL. Thank you, Mr. Chairman and Members of the 
Committee. I really appreciate your having us here today and your 
focus on this very important issue. As a way of background, myself 
and others in the Postal Inspection Service have reviewed the pro- 
visions in the new legislation, and we are very enthusiastic. I have 
had 27 years in law enforcement, most of which has been in mail 
fraud investigations, and I truly welcome a lot of the provisions 
here, particularly the preventive and the enhanced penalty meth- 
ods. 

One of the things, for those who aren’t familiar with the Postal 
Inspection Service, we date ourselves as the oldest Federal law en- 
forcement agency, going back to Ben Franklin and the statute, mail 
fraud, was enacted in 1870s, and it makes it the oldest and the 
first consumer protection law on the books, arguably the best. I 
still think it is the best. One may ask, well, how did somebody who 
is in the hand delivery business get propelled into identity theft in 
the electronic communications age? Well, I will bring you up to 
that in a second how the tie-in is. 

The Postal Inspection Service covers Maine to Guam. There is 
roughly 2,000 of us, making us a very small agency. Approximately 
300 inspectors are devoted to mail fraud, and we pride ourselves 
primarily on consumer fraud. As stated earlier, identity theft re- 
mains a vexing problem, insidious in nature, and clearly a predator 
on those unsuspecting. It totally devastates your life. It takes 
months, years to put it back together again afterward. So, clearly 


27 The FTC has determined that certain types of information, including SSNs, do not con- 
stitute as consumer report under FCRA because they are not factors in determining credit eligi- 
bility. 
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it is something that we have been living with for some time, and 
we are aggressively pursuing and should. 

From our experience, mail itself, based on an FTC study recently, 
only represents about 4 percent of identity crimes; 4 percent, that 
is, in stolen mail, information obtained from mail that has been 
stolen. We used to think it was worse. In fact, a lot of our preven- 
tion messages cued in on that, to protect your mail from theft. 
However, we have since learned that really it comes more from the 
after fact, the use of mails to file applications, credit information 
and so forth. However, that doesn’t stop us from taking assertive 
actions on mail theft programs. 

In the mail fraud area, primarily what we have seen in both ar- 
rest statistics, a combination of arrests from mail theft and fraud, 
totals 3,000 of our 10,000 arrests each year. As you can conclude, 
that is a very substantial number of our activities in the criminal 
area. What we have found as a strategy, and that is really what 
we are here to address today, outreaching is extremely important. 
Ourselves and the FTC have been partners for some time. We have 
had a formal memorandum of understanding. We share data, fraud 
data, and we do a number of prevention and educational campaigns 
together. 

Clearly the events of 2 years ago propelled all of us in the law 
enforcement community to work better together, and although the 
Postal Inspection Service only has 200 statutes which it has to 
worry about, still we find a lot of the overlaps in areas where we 
can fill in the gaps and help out. For example, we are on a number 
of financial crimes investigative task forces around the country. We 
are also part of the National Joint Terrorism Task Force and the 
Joint Terrorism Task Force primarily focusing on mail information 
and financial information, again relating back to what we are talk- 
ing about today. 

Finally, one of the major initiatives is with the credit card indus- 
try itself with a group called the Financial Crimes Task Force. We 
have been together since the middle of the nineties, and that is the 
industry involved in credit cards and the Postal Service inspectors 
dealing on ways to share best practices and enforcement. That has 
worked out very well. In fact, we have come out with a publication 
which I have made available to all of you called Fighting Identity 
Theft, and in there it actually highlights the use of the importance 
of SSNs by minimizing the use of SSNs on page nine, if you care 
to look at that at some time. 

Another portion of our focus would be on deterrence. Of course, 
as a law enforcement officer I would be remiss not saying how im- 
portant it is to arrest those responsible for committing crimes. De- 
terrence serves a big purpose particularly when it is a high-profile 
case. Last year, for example, there was a case involving Carlos 
Lomax in Pittsburgh. He stole the identity of none other than Will 
Smith, the actor, obviously a prominent name, and he was doing 
quite well. In his guilty plea, and his cooperation, he agreed to film 
a video which we have available which he discusses some of the 
techniques he uses in identity theft. 

Finally, the strategy I most favor is prevention. We have a num- 
ber of prevention campaigns, and to just spin the old adage, crime 
does not pay, we have used it to pay. We have had a couple of U.S. 
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attorneys in the U.S. Department of Justice support us in putting 
asset forfeiture money and fine money into a fund called the Con- 
sumer Protection Fund. We have used that fund to conduct massive 
educational campaigns, joint campaigns. 

To my left, your right, is a poster where we had a partnership 
with Showtime where they made two feature films on postal in- 
spector cases. For years we were known as “the silent service,” and 
we are finding now in prevention and getting the word out we can’t 
be silent. They made a movie in the second of a series on identity 
theft specifically to dramatize the issue. On the right is a poster 
from the identity theft campaign which we conducted last Sep- 
tember. In that campaign we had a massive outreach of mailings. 
We produced a mini-drama which is on digital video disk, which I 
have also made available highlights how identity theft occurs and 
how it is reported and how it is enforced. Then, at the very end, 
and, I think, in dramatic fashion, it gives you tips on what to do 
to prevent identity theft. We also did a saturation mailing and pro- 
duced this brochure, which I think is very valuable. In closing, I 
would just reiterate the importance of that strategy using deter- 
rence and prevention and primarily education, because fraud is a 
crime where people can prevent it. They don’t have to participate 
if they know what to do. Thank you for your time. 

[The prepared statement of Mr. Maxwell follows:] 

Statement of Lawrence E. Maxwell, Assistant Chief Inspector, 
Investigations and Security, United States Postal Inspection Service 

Good morning, Mr. Chairman, members of the subcommittee. On behalf of the 
United States Postal Inspection Service, thank you for holding this hearing and giv- 
ing me the opportunity to discuss the subject of identity crimes and the significant 
role Postal Inspectors play in combating it. 

I’m Lawrence E. Maxwell, Assistant Chief Inspector, Investigations and Security, 
for the U.S. Postal Inspection Service. 

Role of the Postal Inspection Service 

The U.S. Postal Service delivers more than 200 billion pieces of mail a year, con- 
taining money, messages, and merchandise, to 138 million addresses at some of the 
most affordable postage rates in the world. U. S. Postal Inspectors are mandated 
to safeguard all of it — including the people who move it and the customers who use 
it. 

Congress empowered the Postal Service “to investigate postal offenses and civil 
matters relating to the Postal Service.” Through its security and enforcement func- 
tions, the Postal Inspection Service provides assurance to American businesses for 
the safe exchange of funds and securities through the U.S. Mail; to postal customers 
of the “sanctity of the seal” in transmitting correspondence and messages; and to 
postal employees of a safe work environment. 

As one of our country’s oldest federal law enforcement agencies, founded by Ben- 
jamin Franklin, the United States Postal Inspection Service has a long, proud and 
successful history of fighting criminals who attack our nation’s postal system and 
misuse it to defraud, endanger, or otherwise threaten the American public. 

Postal Inspectors work closely with U.S. Attorneys, other law enforcement agen- 
cies, and local prosecutors to investigate postal cases and prepare them for court. 
There are approximately 1,900 Postal Inspectors stationed throughout the United 
States who enforce roughly 200 federal laws covering investigations of crimes that 
adversely affect or fraudulently use the U.S. mail and postal system. 

Last year, U.S. Postal Inspectors made more than 11,000 arrests. Of those, over 
6,000 were related to mail theft. One-third of those involved identity theft. In the 
first eight months of our 2004 fiscal year, we exceeded the number of identity theft 
arrests made throughout all of last year. 

What is Identity Theft? 

Identity theft occurs when a thief steals key pieces of someone’s identifying infor- 
mation, such as name, date of birth, and Social Security number, and uses the infor- 
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mation to fraudulently apply for credit or to take over a victim’s credit or bank ac- 
counts. Identity theft occurs in a variety of ways. Those that involve the use of the 
mail receive swift and aggressive action by Postal Inspectors. We ensure that con- 
sumers are being protected. In addition, we work with the mailing industry to de- 
velop best practices on how best to design mailing pieces to prevent identity theft. 
Our collaboration with the mailing industry is another example of how the industry 
as a whole is serious about the issue and working to stay ontop of it for the benefit 
of consumers. Mail is important to consumers who receive itand to the businesses 
that send it. 

Tactics Used by Identity Thieves 

In the past, pre-screened credit offers were more vulnerable to identity theft be- 
cause they simply required the customer to sign the solicitation and return it. But 
now credit card companies have begun automatically discarding applications when 
they are returned with a change of address. Actions by the industry have made 
these mailings less attractive to would-be identity thieves. 

Identity theft is continuing to evolve with the expansion of the Internet and other 
electronic means. The mail is no more vulnerable than other sources of personal in- 
formation, such as corporate and government records and computer databases. Fi- 
nancial institutions have implemented many safeguards to reduce the likelihood 
that personal financial information found within the mail can be stolen. The Postal 
Service is continually working to improve the security of the mail, and Postal In- 
spectors are making great strides in apprehending those who would use the mail 
to further their crimes. 

Identity fraud is digging deep into consumer’s pockets — millions of dollars were 
lost in the past year by financial institutions and victims across the country. 
Thieves use a variety of tactics to drain a victim’s finances, including stealing mail; 
posing as a loan officer and ordering a victim’s credit report (which lists account 
numbers); “shoulder surfing” at the ATM or phone booth to get a victim’s PIN code; 
and “dumpster diving” in trash bins looking for credit applications, canceled checks 
or other bank records. 

Until a few years ago, a thief could submit an address change to divert customers’ 
mail without their knowledge. Usually, redirected mail is sent to a commercial mail 
receiving agency in an attempt to insure the perpetrator’s anonymity. In response 
to recommendations by the Chief Postal Inspector, a prevention measure that ad- 
dresses fraudulent change-of-address orders was adopted by the U.S. Postal Service. 
Post Offices now send a “Move Validation Letter” to both the old and new address 
when a change is filed. The letter instructs an individual to call an “800” number 
if a change was not filed. This simple measure has virtually eliminated false 
changes-of-address submitted to the Postal Service as an avenue for committing 
identity theft. 

Impact on Victims 

One of the most insidious aspects of identity theft is the length of time the scheme 
is carried out before it comes to anyone’s attention. It may be months before a vic- 
tim realizes they’ve been targeted. It’s not until a consumer gets turned down for 
credit, a car loan, or a mortgage on a dream house because of a bad credit rating — 
knowing they’ve paid their bills — do they begin to realize what has taken place. 
Most victims do not learn about the theft of their identity until 14 months after it 
has occurred. More than half of the victims we interviewed report their cases have 
been open, on average, 44 months. They also reported that, as victims, they spent, 
on average, 175 hours actively trying to restore their credit and “to clear their good 
name.” 

Identity theft can do more than ruin a person’s credit; it can cause more serious 
damage. Identity theft hurts a victim in two ways. First a victim must deal with 
the obvious financial issues. Second, a victim must contend with privacy and prac- 
tical issues such as overcoming a credit history that isn’t theirs. The problem doesn’t 
go away with a few phone calls — it can stick with a victim for a long time. That’s 
why it’s such a serious issue. Victims run the gamut of society, they’re wealthy, 
they’re poor, they’re old, and they’re young. Anyone can become a victim. 

In a recent Postal Inspection Service investigation based in Chicago, Illinois, the 
destructive activities of an identity thief resulted in the loss of thousands of dollars 
and the death of a primary victim. The scheme began in July 1999 when the iden- 
tity thief began dating the estranged wife of a Chicago resident. Without the vic- 
tim’s knowledge, the wife assisted the thief in stealing her former spouse’s identity 
by providing the thief with the spouse’s personal information. 

In January 2000, the spouse filed a complaint with the Chicago Police Depart- 
ment after realizing that he was a victim of identity theft with losses over $200,000. 
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In February, the spouse received a package from the thief wrapped as a FedEx de- 
livery. After holding the package for several days, the spouse received a voice mail 
message from the thief indicating the package was a gift. As he sat in his living 
room, he opened the package, which exploded, killing him instantly. 

Last year a colleague of mine learned about identity theft the hard way. His bank 
called and asked if he had authorized a $4,500 cash advance on his credit card in 
Miami, Florida that day. 

He was stunned. The bank had called only hours after the withdrawal was made, 
following an alert initiated because certain account parameters indicated something 
might be wrong. Luckily for him, the bank simply asked that he sign an affidavit 
that he had not been in Miami and hadn’t made the withdrawal. He wasn’t held 
liable for the money. And he never found out what ID the thief had used to get ac- 
cess to his account. 

Unfortunately, my colleague’s ordeal wasn’t over. He received a call a few months 
later from a cellular phone company, asking if he’d opened an account with them 
in Miami. Someone had racked up $1,800 in calling charges under his name and 
then disappeared. Once again, he signed an affidavit disclaiming knowledge of the 
charges, and the account was cleared. This time, he called the three main credit bu- 
reaus and reported the fraud. 

My colleague is just one of hundreds of thousands of individuals who are victim- 
ized each year. The culprits may be found among employees (or patrons) of mail- 
rooms, airlines, hotels or personnel offices — anyone who has access to a person’s fi- 
nancial information. They can use your credit card or instead use encoding equip- 
ment, sold by business supply companies, and blank cards with magnetic strips on 
the back, to encode your account number onto a counterfeit card with a different 
name. Thieves sometimes seek jobs specifically to get access to financial informa- 
tion; alternately, they may bribe employees in such positions to supply them with 
the data they want. 

The problem is compounded by the ease with which a phony ID can be obtained. 
On the Web are scores of sites with complete instructions on creating a “new you.” 
Personal computers, “scanners” and color printers (or copiers), all facilitate creating 
false identification documents. 

Commitment of Resources Jurisdiction 

Because identity theft crimes can involve the use of the mail, the U.S. Postal In- 
spection Service has become a lead agency in investigating these crimes. Even in 
cases where the original theft does not involve the mail, the mails may used to send 
the credit cards to a commercial mail receiving agency or alternate address. That’s 
why Postal Inspectors are involved in investigating this crime and take it so seri- 
ously. 

Each of the Inspection Service’s 18 field divisions investigates identity theft with- 
in their respective boundaries. Identity theft investigations are reported, cat- 
egorized, and tracked in an Inspection Service national database used by manage- 
ment to coordinate the appropriate investigative response. During the past few 
years, Inspection Service resources devoted to identity theft investigations have in- 
creased significantly — by 38 per cent. 

Identity Theft Investigations 

In a typical case last year, Postal Inspectors arrested eight West African nationals 
who were operating a multimillion-dollar counterfeit and stolen credit card enter- 
prise nationwide. And Postal Inspectors in New York arrested 16 members of a gang 
that ran a passport photo business, supplying false identifications for cashing checks 
stolen from the mail. 

Last year Postal Inspectors announced the results of a round-up of 103 mail 
thieves throughout the western United States. A multi-agency task force comprising 
U.S. Postal Inspectors, members of the U.S. Marshals Fugitive Apprehension Strike 
Task Force, U.S. Secret Service, state and local police, and the Northern California 
Identity Theft Task Force targeted mail thieves in California and Nevada. Similar 
operations took place in Arizona, Hawaii, Utah and New Mexico. Federal and state 
prosecutors supported the work of the task force by aggressively prosecuting individ- 
uals involved in mail and identity theft. 

Here are a few more examples of identity theft cases investigated by Postal In- 
spectors in the past year. In Detroit, Postal Inspectors investigated a gang of mail 
theft recidivists who were recruiting street people, called “runners,” to obtain cash 
advances from banks and casinos via credit cards. Inspectors executed a search war- 
rant at the residence of a suspect and recovered more than 180 documents listing 
victims’ personal IDs. Inspectors and agents from the Detroit Metro Identity Theft 
Task Force identified and arrested the ringleader of the group who, at the time of 
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his arrest, had more than 700 car rental applications with names, dates of birth, 
Social Security numbers, and credit card accounts of potential victims. The ring- 
leader and a cohort reportedly called credit card issuers, purporting to be the true 
account holders, and requested that replacement credit cards be mailed to them. 
The car rental manager who supplied the rental applications and an employee who 
worked at a health plan office were later indicted for providing documents to the 
gang. Total fraud losses exceeded $700,000. 

An Illinois man was sentenced to 25 months in prison and ordered to forfeit 
$590,000 in assets to banks after pleading guilty to the unlawful possession of an 
access device, mail fraud, and bank fraud. A joint investigation by Postal Inspectors 
and special agents of the Social Security Administration determined he had fraudu- 
lently applied for more than 200 credit cards using numerous victim IDs. 

Postal Inspectors in Jacksonville, Florida, arrested six people believed to be run- 
ning a major identity theft ring. The arrests were the result of a joint investigation 
by the Northeast Florida High Tech Task Force, which includes Postal Inspectors, 
members of the Jacksonville Sheriffs Office, and several other federal, state, and 
local law enforcement agencies. Victims of the ring included employees of the Winn- 
Dixie Corporation and Hollywood, Florida, police and fire departments. The six sus- 
pects were charged with 44 counts of violations related to the Racketeering Influ- 
enced Corrupt Organization (RICO) Act, including criminal use of personal informa- 
tion, grand theft, organized fraud, and manufacturing fraudulent IDs. One of the 
suspects has already pled guilty to RICO violations and related charges. 

Las Vegas police arrested a man for “driving under the influence” and later dis- 
covered he had an outstanding arrest warrant for identity theft in Arizona. Phoenix 
Postal Inspectors reported he stole a person’s Social Security number, applied for 
numerous credit cards in the victim’s name, and had the cards mailed to a box he 
rented at a commercial mail receiving agency. Postal Inspectors and Secret Service 
agents searched the man’s business and discovered numerous fraudulent documents. 

Statutes Used in Identity Theft Cases 

A number of statutes enable us to take action against identity theft involving the 
use of the mail. Under Title 18, U.S. Code, Section 1708, Postal Inspectors may ar- 
rest individuals for the possession of stolen mail or filing a false change-of-address 
order; the penalty is a $2,000 fine or up to five years’ imprisonment, or both. In 
1998, the Identity Theft and Assumption Deterrence Act of 1998, was signed into 
law. This law expanded the scope of the identity fraud statute (18 U.S.C. §1028), 
and made it a federal crime for the unauthorized use of personal identification in 
the commission of any federal law (felony or misdemeanor), or a state or local fel- 
ony. 

But one of our top weapons in the fight against identity theft is a statute origi- 
nally enacted over 125 years ago: the criminal mail fraud statute. If someone ap- 
plies for a credit card in your name, perpetrators may be prosecuted under Title 18, 
USC 1341. The penalty is a $1,000 fine or up to five years’ imprisonment, or both — 
unless a financial institution is affected, in which case the fine may be raised to 
$1 million and imprisonment for up to 30 years. The public policy that underlies 
this statute remains valid today: The postal system created by Congress to serve the 
American public should not be used to conduct schemes that seek to cheat the public. 

Our experience demonstrates that enforcement laws and mechanisms, coupled 
with an aggressive education campaign and enforcement efforts described below, are 
invaluable tools in the arsenal of law enforcement. 

Interagency and Industry Cooperation 

To address the fundamentals of identity theft, the Postal Inspection Service works 
diligently with the credit card industry, financial institutions and other law enforce- 
ment and regulatory agencies. In 1992, the Postal Inspection Service sponsored its 
first Credit Card Mail Security Initiative meeting in Washington, DC. We continue 
to promote and host these semi-annual meetings. 

Many of the preventive strategies discussed at our meetings have been imple- 
mented by our financial industry partners, and have resulted in reduced losses at- 
tributed to mail theft and the subsequent identity theft that occurs from it. The 
now-common concept of credit card activation was first proposed by a Postal Inspec- 
tor and was promoted through the Credit Card Mail Security Initiative meetings. 
The industry embraced and implemented this prevention strategy, which resulted 
in the reduction of significant industry fraud losses over the past decade. 

In addition, working in conjunction with industry partners, Postal Inspectors ana- 
lyze information from credit card thefts to identify “Hot Spots” for investigative at- 
tention. The Postal Inspection Service notifies the financial industry of zip code 
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areas suffering abnormal losses, so they can take extra precautions when mailing 
to those areas. 

Thanks to the collaborative efforts between the Postal Inspection Service and its 
working-group partners, we are beginning to see the results of this and many other 
fraud prevention initiatives. In addition to modifying industry practices, our collabo- 
ration has produced a number of fraud prevention guides, including the Fraud De- 
tection and Reference Guide; Account Takeover Prevention Guide; and Detecting 
and Preventing Credit Application Fraud. 

The working group was also responsible for the Identity Theft Consumer Aware- 
ness video and the Identity Theft brochure. At the conclusion of my testimony, I 
have included prevention tips prepared by the Postal Inspection Service in collabo- 
ration with its working partners. 

In 2003, the Postal Inspection Service decided to broaden the scope of the Credit 
Card Mail Security meetings to include presentations on money laundering, Internet 
fraud, and bank fraud schemes. As the focus has expanded, the name of our working 
group has changed to the Financial Industry Mail Security Initiative (FIMSI). The 
initiative has decided to capture many of the best practices developed over the years 
and share them with industry and law enforcement in the form of a 50-page docu- 
ment, reporting upon identity theft problems and issuing recommendations directed 
towards credit card companies and credit lenders for reducing or preventing it. One 
of those recommendations dealt specifically with limiting the use or display of social 
security numbers in sensitive records and mailings. 

To manage the vast data associated with these crimes, the Postal Inspection Serv- 
ice has developed a new financial crimes database. This computer application com- 
piles a myriad of intelligence data relating to financial crimes, and provides Postal 
Inspectors with information that assists in identifying trends, criminal hotspots, and 
the scope of identity theft activity. Information for this database is provided by cred- 
it card issuers, other financial institutions, mail order companies, Postal Inspection 
Service investigations, and the victims themselves. 

According to a report released by the FTC this past September, mail theft as a 
source for identity theft happened in only 4% of the cases surveyed. As we have 
made it more difficult for mail theft to be a component of identity theft, criminals 
have turned to other means, oftentimes recruiting the assistance of insiders, in 
other words “employees,” who have access to the personal information, especially 
the social security numbers, of clients or other employees. Personal information like 
social security numbers contained in corporate and government records and com- 
puter databases is a fertile area for dishonest employees working in conjunction 
with identity thieves. 

This is why we support H.R. 2971, the Social Security Number Privacy and Iden- 
tity Theft Prevention Act, and welcome the additional consumer protection provi- 
sions it will provide. It is important to do whatever we can to keep identity theft 
from happening in the first place 

Task Force Efforts 

In addition to partnering with members of the financial and mailing industry, 
task force efforts by law enforcement have been a successful approach to the iden- 
tity theft issue. Postal Inspectors are active participants on financial crimes task 
forces throughout the nation. In Pittsburgh, Pennsylvania, the Postal Inspection 
Service leads the Financial Crimes Task Force of Southwestern Pennsylvania. This 
task force began operation on January 17, 1995, and is housed at the Pittsburgh 
office of the Postal Inspection Service. Originally, this task force was formed to tar- 
get major credit card fraud in the Pittsburgh area. However, with the increased 
number of instances of identity theft spreading rapidly throughout America, this 
taskforce has directed most of its resources toward identity theft investigations. 

One of the recent cases involved actor Will Smith as a victim of identity theft. 
When Smith played Agent J in the movie Men in Black that was showbiz. But when 
convicted felon Carlos Lomax impersonated actor Will Smith, that was identity 
theft. Will Smith never knew his identity had been stolen until he attempted to pur- 
chase a new home and found his credit had been compromised. Postal Inspectors 
and the Financial Crimes Task Force of Southwestern Pennsylvania arrested Lomax 
for identity theft, and Lomax was sentenced to serve 37 months in jail and pay 
864,000 in restitution. 

The Minnesota Financial Crimes Task Force, which includes Postal Inspectors, 
Secret Service agents, and local law enforcement officers, last year arrested a Nige- 
rian national for a $1 million account-takeover scheme. Postal Inspectors executed 
a federal search warrant at the suspect’s residence and recovered approximately 
$16,000 in cash, three vehicles, artwork, electronics equipment, and merchandise 
derived from the scheme. An investigation revealed the man used bank employees 
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to identify high-dollar, dormant accounts with balances of $100,000 or greater for 
his scheme, and shipped the fraudulently obtained merchandise to his home in Ni- 
geria. 

Public Awareness and Education Efforts 

Over 2,000 of our 6,000 mail theft arrests last year involved identity theft — and 
it’s getting worse. But arrests are not the only solution. That is why the Postal In- 
spection Service addresses the identity theft issue on two levels — aggressive inves- 
tigative efforts and creating prevention and awareness programs. 

While the Postal Inspection Service works hard to identify and prosecute identity 
crimes, we also recognize our ability to lessen the impact of this crime upon the pub- 
lic through various prevention campaigns. Postal Inspection Service efforts to pre- 
vent identity theft target the public and business communities to educate them 
about these schemes, and the problems associated with them. These efforts have in- 
cluded the publication of a brochure titled, Identity Theft, Safeguard Your Personal 
Information, and the March 2000 release of the Showtime movie, The Inspectors 2, 
based on Postal Inspection Service files relating to identity theft investigations. 

In an effort to educate consumers about this fast-growing crime, the Postal In- 
spection Service created an informational video titled Identity Theft: The Game of 
the Name. Also, the Postal Inspection Service and thePostal Service’s Consumer Ad- 
vocate Office partnered during last year’s National Consumer Protection Week, from 
February 3 through 8. The week’s theme was “Identity theft, the No.l consumer 
fraud in the nation.” 

In 1999, Postal Inspectors along with partner organizations undertook Project 
kNOw Fraud, which was the largest consumer awareness campaign undertaken in 
this country. Through a mailing to 123 million addresses we warned the public of 
the dangers of telemarketing fraud. The successful campaign was followed up with 
the National Fraud Against Seniors Awareness Week in August of 2002. In Sep- 
tember of last year Postal Inspectors unveiled another national awareness cam- 
paign. Last year’s topic was identity theft. 

Actor Jerry Orbach, who also was a victim of identity theft, was the campaign’s 
spokesman. This awareness campaign featured a two-pronged approach, providing 
prevention and awareness information to consumers and addressing businesses on 
the need to safeguard their files and databases of customers’ personal information. 
The campaign included: 

• A house-to-house mailing to residences in ten states identified by the FTC as 
reporting the most identity theft complaints. The ten states were California, 
New York, Texas, Florida, Illinois, Pennsylvania, Georgia, Michigan, New Jer- 
sey, and Arkansas. The mailing was made in September, 2003, in conjunction 
with a press conference. 

• Distribution of an updated brochure on identity theft. The brochure was distrib- 
uted in connection with identity theft presentations made by Postal Inspectors 
to consumer groups. 

• Production and release of a Public Service Announcement (PSA) featuring actor 
Jerry Orbach. This thirty-second PSA was released in September in conjunction 
with the press conference. 

• An identity theft insert outlining prevention tips that was included with month- 
ly financial industry statements and with all Stamps by Mail orders placed dur- 
ing the months of September, October, and November 2003. 

• Production of an identity theft poster that includes prevention tips that was dis- 
played in all Postal Service retail lobbies, numerous credit unions, financial in- 
stitutions, and police departments in September. 

• Production of an identity theft informational video and articles on identity theft 
prevention that was published in internal and external publications as well as 
newspaper ads in the same ten states that were identified as reporting the most 
complaints. 

The Mullen agency of Pittsburgh provided support for our Identity Theft cam- 
paign on a pro bono basis. But what really made this campaign unique is the fund- 
ing source. We’ve all heard the saying, “crime doesn’t pay.” In the case of this 
awareness campaign, it does pay. This campaign was funded through fines and for- 
feitures paid by criminals in a past fraud case. 

Prevention Tips 

In numerous formats, including our website at www.usps.com/postalinspectors, we 
provide the following recommendations to the public: 

• Deposit your outgoing mail in a blue Postal Service collection box and promptly 
remove mail from your mailbox after delivery. 
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• Shred unneeded documents that contain personal information before discarding 
them. 

• Order credit reports every year from each of the three major credit reporting 
agencies and thoroughly review them for accuracy. 

• Never give personal or financial information over the telephone or the Internet 
unless you initiated the contact and trust them. 

• Report lost or stolen credit cards immediately. 

• If you applied for a credit card and didn’t receive it when expected, call the fi- 
nancial institution. 

• Sign new credit cards immediately — before someone else does. 

• Memorize your Social Security number and passwords. Don’t use your date of 
birth as your password and don’t record passwords on papers you carry with 
you. 

• Never leave transaction receipts at ATM machines, on counters at financial in- 
stitutions, or at gasoline pumps. 

• Don’t carry your Social Security card or birth certificate; leave them in a secure 
location. 

• Don’t disclose credit card or other financial account numbers on a Web site un- 
less the site offers a secure transaction. 

• Closely monitor the expiration dates on your credit cards and contact the issuer 
if you don’t receive a replacement prior to the expiration date. 

• Beware of mail or telephone solicitations that offer prizes or awards — especially 
if the offer asks you for personal information or financial account numbers. 

• Match your credit card receipts against your monthly bills and check your 
monthly financial statements for accuracy. 

• Watch for your monthly financial statements and bills. If you don’t get them 
when expected, contact the sender. 

For victims of identity theft, we recommend the following initial steps to begin 
the long and arduous task of responding to the crime: 

1. If the crime involved the U.S. Mail, contact your nearest U.S. Postal Inspection 
Service office and report it. 

2. Call the fraud units of the three major credit bureaus and request a “fraud 
alert” be placed on your credit file. Check your monthly financial statements 
for accuracy. 

3. Order copies of your credit report from the credit bureaus to check whether any 
fraudulent accounts were opened without your knowledge or consent. 

4. Contact your banks and creditors, by phone and in writing, and report the 
crime. You may be advised to close some or all of your accounts. At the least, 
change your PIN codes and passwords immediately. 

5. Record the names and phone numbers of people with whom you discussed your 
case and retain all original reports and supporting documents. Keeping accu- 
rate and complete records are a big step toward helping you resolve your prob- 
lem. 

6. Contact your financial institutions and request they flag your accounts. In- 
struct them to contact you immediately if there is unusual activity on your ac- 
counts. 

7. File your complaint online with the Federal Trade Commission, or call their 
Identity Theft Hotline at 1-877-IDTHEFT. The FTC has counselors to assist 
identity theft victims with resolving financial and other problems that can re- 
sult from this crime. 

Educating the public and working to reduce the opportunities where the U.S. 
Postal Service can be used for illegal purposes are crucial elements in our fight 
against identity theft crimes. As always, we will do our part to remove criminals 
from society. We appreciate your recognition of the importance of this issue. 


Chairman SHAW. Thank you, Mr. Maxwell. I thank all the wit- 
nesses. Mr. Johnson. 

Mr. JOHNSON. Thank you, Mr. Chairman. Mr. O’Carroll, in 
your testimony you mentioned cross-verification with numerous 
agencies. Is the U.S. Department of Veteran Affairs one of those? 

Mr. O’CARROLL. Yes, it is, Mr. Johnson. 
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Mr. JOHNSON. How do you deal with them directly? A lot of my 
buddies got listed as being dead, and they couldn’t get their status 
reinstated because of a lack of identification, as you might imagine. 
How do you address that issue? 

Mr. O’CARROLL. Yes, Mr. Johnson. We have a matching agree- 
ment with the Veterans Administration where the SSA matches 
the SSNs of veterans against our databases for validity. There have 
been instances in the past, we have done an audit on it. Inadvert- 
ently the SSA listed people as deceased when they aren’t deceased. 
We have brought that to the SSAs attention. 

Mr. JOHNSON. How does that happen in the system? 

Mr. O’CARROLL. Well, many of the death reportings are vol- 
untary from a lot of different sources. Occasionally when a source 
indicates that a person is deceased, and it is entered into the 
records, before it is verified by another party on it, that informa- 
tion is recorded. What we are recommending is a second 
verification on it so that that doesn’t happen anymore. 

Mr. JOHNSON. Are those numbers reissued? 

Mr. O’CARROLL. No, they are not reissued then. Once you get 
an SSN, sir, that is yours for life and forever. They don’t reissue 
SSNs. 

Mr. JOHNSON. If the guy is dead, and you resurrect him, do you 
give him his SSN back again? 

Mr. O’CARROLL. Yes. He does. He or she will get it back. 

Mr. JOHNSON. Okay. Second, do you issue Social Security cards 
to students who are here on student visas who do not work? 

Mr. O’CARROLL. In actuality, they are not supposed to be issued 
to non-work students. The SSN is issued to students if they can 
show documentation from Immigration showing that they are au- 
thorized to work, at which time they will be given an SSN. 

Mr. JOHNSON. This is if they are authorized; but what if they 
are not working at all and never intend to? A lot of them do come 
here and are under their — they are supported by their home coun- 
ty. They don’t pay any income tax. They don’t pay a thing us to, 
not a nickel, but they go to school, and they have a student visa. 
Now, how do you differentiate? 

Mr. O’CARROLL. Well, the student visa is not reason to be 
issued an SSN. It has to be issued for work purposes. We have 
done audits where some schools have issued — or have issued letters 
saying that a student is working, when, in fact, they haven’t been 
working, and that way was a way that they bypassed the rules and 
regulations in order to get an SSN. It is something that is recog- 
nized, and it is something that we have been working very closely 
with SSA doing studies of universities and making sure that they 
are, in fact, following the laws and using the actual document to 
show that a person is working. It is a loophole that has been out 
there, and it is being closed as we speak. 

Mr. JOHNSON. Do you have employers, when they hire some- 
body, theoretically they are supposed to check their status, and 
theoretically you are supposed to have the computer capability to 
have somebody call you and say, hey, is this a valid number and 
name, and you are supposed to be able to say yes or no imme- 
diately. Is that in operation right now? 

Mr. O’CARROLL. Correct. The SSA does have that. 
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Mr. JOHNSON. You do have that. I understand that a lot of 
businesses are not taking advantage of that; is that true? 

Mr. O’CARROLL. That is correct, sir. 

Mr. JOHNSON. How do we rectify that? 

Mr. O’CARROLL. Well, one of the portions of the support of Con- 
gress is to make it mandatory that employers do check that each 
time. As it stands in the past, SSA now has ways of doing it where 
it can be done electronically, it can be done on the telephone, it can 
be done in person. What we are hoping for in the future is to have 
electronic means for verifying all employees. We have got different 
public outreaches to encourage employers to do it, and we are hop- 
ing for Congress to encourage employers also to make it mandatory 
that they do it in the future. 

Mr. JOHNSON. One further question for anybody that wants to 
answer it: Are we still failing to go after people who sell or tell you 
that they have lost their identification and come back for another 
one, because last time our testimony indicated that there was up- 
ward of 80 or more before you even looked at it. 

Mr. O’CARROLL. Those are two of the provisions in this law is 
one to take a look at the people asking for numerous replacement 
Social Security cards. 

Mr. JOHNSON. Well, how about one? If you have got the com- 
puter system to do it, why can’t do you it after one? 

Mr. O’CARROLL. Well, there are legitimate reasons why people 
lose their Social Security card. Quite frankly, what we have been 
saying within the Office of the Inspector General is it is the num- 
ber, not the card that is the problem to society. 

Mr. JOHNSON. Well, I understand that, but they still sell them, 
don’t they? 

Mr. O’CARROLL. That is a major concern of ours is that when 
they get replacement cards, that they could be sold again, and that 
is why we are asking to tighten up on it. 

Mr. JOHNSON. Just one follow-up. Are you still waiting to 80 
before you check them out? 

Mr. O’CARROLL. Yes. The number has dropped considerably on 
the number of replacements. It is not up to 80. What we are look- 
ing for is 20 in the lifetime. We still think that is a large number 
to be asking for, and we are asking to have that number reduced. 

Mr. JOHNSON. I will bet the Postal Service doesn’t wait that 
long. You guys do a good job, by the way. They briefed us well in 
Texas. Thank you. Thank you, Mr. Chairman. 

Chairman SHAW. Thank you. I still have my original Social Se- 
curity card. 

Mr. JOHNSON. So do I. 

Chairman SHAW. Let me do a follow-up of what Sam was asking 
you with regard to students. If a student wants to open a bank ac- 
count, and he doesn’t work, and it is an interest-bearing account, 
he would need an SSN, wouldn’t he? 

Mr. O’CARROLL. If you remember, Mr. Chairman, there was the 
hearing that we had with the use of the tax identification number, 
so that is a way in order to report. 

Chairman SHAW. Oh, I see. 

Mr. O’CARROLL. Taxable information without using an SSN. 
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Chairman SHAW. That is right. Thank you for refreshing me on 
that. Mr. Cardin. 

Mr. CARDIN. Thank you, Mr. Chairman. I want to follow up on 
the private sector and the cooperation we are receiving from the 
private sector as it relates to theft, identity theft, SSNs and related 
issues, including the issue that Mr. Johnson raised. It seems to me 
that we are having a difficult time passing new laws here because 
of the wide use of SSNs by commerce, which we all understand. It 
seems to me that the private sector, private employers and private 
companies have a great deal at stake here, and I am curious as to 
whether you think they are doing enough to assist us in identity 
theft, at least initially. Second, after a person has found their iden- 
tity has been stolen, and they have gone through this difficult 
issue, it has been reported to us that the theft continues, and there 
is still a difficult time in getting the private sector to work with 
us to make sure that the person who has been victimized is no 
longer victimized. So, I would be interested in your response as to 
whether you think the private sector, private employers, private fi- 
nancial companies, private companies generally are doing enough 
to help us and assist us to develop a strategy to minimize identity 
theft in this Nation. 

Mr. BEALES. Congressman, I think by and large the private sec- 
tor has been very cooperative and very responsive. What has tend- 
ed to happen in this area is identity thieves exploit a particular 
source of information or a particular channel to get credit. It takes 
some period of time to recognize that channel and recognize that 
problem. Once it is recognized, there are some fairly strong incen- 
tives to put measures in place to shut down that particular chan- 
nel. Unfortunately it is an ongoing process because identity thieves 
work very hard to find a new way to do that. 

Mr. CARDIN. Can I just challenge you on that for one moment? 
If I make a small mistake on the use of my credit card, it seems 
to me it gets bounced the next time I try to use it pretty quickly. 
It seems like the credit industry knows how to get things into the 
computer pretty quickly to respond to what they believe is impor- 
tant. I don’t see the same zeal, the same commitment as it relates 
to identity theft. Am I wrong? 

Mr. BEALES. Well, I think it has varied. I think the most com- 
mon form of identity theft is credit card misuse, and I think the 
things you are pointing to are in place and address that form of 
identity theft and have really improved tremendously over time as 
people have used pattern recognition kinds of software and kinds 
of technologies to identify problems before there is too much 
charged on existing credit card accounts. So, I think there is a lot 
of that. There is no doubt that there is more that can be done in 
many areas, and that there is an ongoing need to recognize new 
threats as they emerge and to put measures in place to address 
them. 

Mr. CARDIN. The victim finds that his or her credit is affected. 
There are so many different avenues in which this information 
travels. It would seem to me that the private sector could develop 
the type of software response that could try to help the victim, and 
I haven’t seen that. 
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Mr. BEALES. Well, I think the key to helping the victim, once 
there has been an identity theft victim, is now in place by statute 
under Nation that was passed last year, and that is the system for 
placing fraud alerts has been codified in that statute. You can do 
it with one call to any one of the three credit bureaus and place 
the fraud alert for all three. With an identity theft report, like a 
police report, you can block fraudulent information that would ap- 
pear on the credit report and keep it from being re-reported, and 
those measures we are in the process of rulemaking now and will 
be in place shortly. 

Mr. CARDIN. Yes. I think the frustrating part is that you can 
find a person’s credit destroyed very quickly because the system is 
in place to identify individuals who are believed to have had a cred- 
it problem, even if it is a theft situation, but to rehabilitate it 
seems like to takes a lot longer to be able to work through the sys- 
tem. I just question whether we have the same commitment in the 
private sector to deal with the victims as it is to in some cases over 
respond and take away a person’s good credit who doesn’t deserve 
to have that credit taken away. Just my own observation. 

Mr. MAXWELL. May I add to that? 

Mr. CARDIN. Sure. 

Mr. MAXWELL. The initial part of your question, if I understood 
it correctly, was about the cooperation with industry. In our experi- 
ence I have been encouraged, but the dichotomy you have, you 
have the business interest wanting to serve the customer to keep 
them as customers, but then they also have their competition with 
their other associated industries for the credit card group. I men- 
tioned earlier for example, they are competing factions. We have a 
mail order task force. They are competing factions. So, sometimes 
it is hard to get them to cobble together like a shared database or 
best practices. They seem reluctant, which I understand why. 

Where I have seen and been encouraged is we tried — when we 
started this campaign, we reached out to the credit card companies 
to partner with us and actually put an identity theft warning on 
their statements. We never took that full measure because we 
couldn’t get every company to agree to it. Their counsels, inde- 
pendent counsels, had some problems with it; however, some uni- 
laterally did it on their own. So, I was encouraged by that, but I 
think the problem we will still have to overcome is that issue of 
competition and in the fact that we will give a little, but it is a con- 
stant balance. I think that more and more there is a benefit seen 
at the end by having the customers happy, satisfied and protected. 
Ultimately that is the case, and that is what we found in the Postal 
Service, I know. You can cut a lot of measures. We tried changing 
the commercial mail-receiving agency rules, and that was a very 
tough row to hoe. Again, you have a lot of industry you have to con- 
sider, but I am encouraged. We have come a long way. 

Chairman SHAW. Mr. Hulshof. 

Mr. HULSHOF. Thank you, Mr. Chairman. Let me start, Mr. 
Maxwell, by echoing what Mr. Johnson said. The Saint Louis Post- 
al Inspector’s Office had the opportunity to brief me in the Saint 
Louis office. This was right in the aftermath of the mailbox pipe 
bombs in the Midwest, and so I really got a good glimpse of what 
it is that you all do. I will have to admit that the day was capped 
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off by allowing me to participate in the computer-simulated fire- 
arms training, which was a lot of fun, and I didn’t maim too many 
innocent people. 

So, Ms. Bovbjerg, let me get to really the subject of today’s hear- 
ing. I am sorry about the microphone here, Mr. Chairman. It seems 
to be in and out. We have talked about the private sector, Ms. 
Bovbjerg. What I want to talk about, because I know coming up in 
a later panel is what is happening in the public sector, and as you 
point out, and we are going to hear from a witness in the second 
panel, Federal law requires the use or the collection of SSNs for 
various reasons related to tracking deadbeat parents. The SSNs 
must appear on the pleadings in court orders related to child sup- 
port. In fact, the Code of Federal Regulations requires that the 
SSN appear on garnishment orders involving postal employees as 
well as, and not to resurrect, Mr. Becerra, our discussion and de- 
bate last night in the full Committee, but SSNs are used to collect 
fines, crime victim restitution and beyond. 

So, I know you recognize in your statement that there is a survey 
of State and local agencies to determine the extent to which SSNs 
are displayed in public records. When might that survey be com- 
pleted, and what can you tell us about it? 

Ms. BOVBJERG. Well, mine is not working either. We are due 
to report out to Chairman Shaw in September on this work, and 
it is a really complex survey, and so we have some things. Like we 
know that some States have the SSN in public records, but they 
don’t need it, and they are not really sure why it is there. We can’t 
tell you what the incidence of that is yet because we don’t have all 
of our surveys back. 

What we are looking at is really what kind of records does the 
SSN appear in. We are trying to be able to say how many people 
this might affect by the way that we structured our survey. It is 
a little different than some things we have done for you in the past. 
We are also looking at what format is it in, because 2 years ago 
when we did this work, we were all, I think, pretty alarmed when 
we heard that these things were all going to be electronic, and this 
was going to be a boon to customer service. We are looking at, well, 
just how electronic is it going to be? 

I think that what we are hearing anecdotally and the people that 
we talk with about these things is there is just a greater sensitivity 
to this issue in no small thanks to this Subcommittee work. We 
have seen a dramatic shift in the public record world in the kinds 
of things that people are concerned about now. They are a lot less 
concerned about the speed of customer service and a lot more con- 
cerned about how do we make sure that we have only the data we 
need, how do we make sure that it is not going to the wrong place. 
There is a lot more of that. 

So, we will be reporting both survey results and results of our 
interviews. I think you know largely the early returns is there are 
some good news. There are some things that are being done. The 
good news at the Federal level, just by the way, is that the Privacy 
Act works, but when you get into State and local governments, it 
is not uniform, there isn’t a single law that affects them. We con- 
tinue to believe that the government, the Federal government, 
should consider working with State and local governments to de- 
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velop something that is more uniform, more uniform protections, 
but at the same time consider that there are some very important 
uses to which the governments put the SSN, one of them being 
child support enforcement, tax enforcement, and program integrity 
at SSA. Just a few. 

Mr. HULSHOF. Well, and certainly as a supporter of the Chair- 
man’s bill, I wasn’t aware until really preparing for this hearing 
that the Code of Federal Regulations in some instances insists that 
the SSN be recorded, and so I see that we are at a conflict here 
obviously. The other concern that I would expect would be that any 
new legislation that would be introduced and hopefully pass, Mr. 
Chairman, your bill, would certainly be prospective. Again, I will 
just relate that in the State of Missouri, our State Court Adminis- 
trator who is set to testify, a lot of our courts in rural areas are 
finally now getting online as far as providing those court docu- 
ments. So, in other words, going back retroactively to somehow 
close these records would just really be an extraordinarily difficult 
task, but look forward to the survey and any recommendations that 
maybe come along with that study. So, thank you. 

Ms. BOVBJERG. Well, one thing I do want to encourage you to 
think about is there is use and there is protection, and that you 
can require use, but you don’t have to display it while you are 
using it. I think that is one of the things you are seeing that the 
Federal courts are starting to try to deal with. 

Mr. HULSHOF. Thank you. 

Chairman SHAW. Mr. Hulshof, the bill that you are cosponsor of 
that you refer to as my bill, but it is our bill, is prospective, and 
there is a 2-year period for implementation, so I think we have cov- 
ered that base. I hope so. 

Mr. HULSHOF. Good. 

Chairman SHAW. Mr. Becerra. 

Mr. BECERRA. Thank you Mr. Chairman, and let me also say, 
as my colleagues have said, thank you very much for pursuing this 
so diligently. I hope that we are able to move forward your bipar- 
tisan legislation soon because it is better to get what is good out 
of the bill now versus wait until we perfect it later. Thank you all 
for your testimony. Let me ask a couple of quick questions, see how 
much I can get through in 5 minutes. 

What can we do, and I open this to any of you who wish to com- 
ment. What can we do to help victims of identity theft to restore 
their good name and credit and to retain and restore again also 
their privacy? We are dealing with trying to prevent it. We know 
that in millions of cases we are too late. The talk of prevention is 
not going to help them because they have already had their iden- 
tity stolen. Now they are facing the consequences of months, maybe 
years, of reclaiming their good name and credit. What can we do? 
Can you think of anything we can do legislatively to try to help vic- 
tims who are currently in the process of trying to restore their good 
name and credit? 

Mr. MAXWELL. There may be a possibility to enact some form 
of, for lack of a better word, Committee, but group, working group, 
task force group that is tasked primarily with expediting con- 
sumers’ restoration, if you will. To me it seems like most con- 
sumers, particularly the elderly, become frustrated with the sys- 
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tem, whether it be complaining about fraud or the health care 
problem or just going to get help. When they are faced with a myr- 
iad of phone calls and letters to write, it kills them. 

Mr. BECERRA. Other than having a group that can advise, let 
me give you a quick example. Should we, for example, pass a law 
that says that a private entity that has used a SSN for whatever 
purpose, a bank, a credit agency, if, indeed that agency uses SSNs, 
it must treat as priority status an individual’s claim that his or her 
identity was misused, and therefore has to clear that record so that 
when you as a private entity get that type of request by an indi- 
vidual, you must give it priority status? You can’t just put it at the 
end of the list of complaints and work that you would have to deal 
with in the course of your business dealings. 

Mr. MAXWELL. That would be an excellent first step. Definitely 
an excellent first step, and I think, as a follow-up, if there could 
be some body created to help expedite that, too. That first step 
would be putting the onus on the firm, the most responsible. 

Mr. BECERRA. Anyone who wants to use a SSN understands 
they have got an obligation to help a victim of identity theft clear 
it up quickly. If you are going to use the card, or the number, un- 
derstand that some people will be victims; not perhaps of your own 
doing, but because you are a user of the card, you then are obli- 
gated to help victims who had their number used inappropriately 
resolve that issue as quickly as possible. 

Mr. MAXWELL. That sounds promising to me. 

Mr. O’CARROLL. Mr. Becerra, two things that are of interest to 
us. One is our major concern is the integrity of the SSN in relation 
to Social Security programs. However, what we have been big on 
encouraging is cross-verification, so that any Social Security that is 
numbered that is out there either in the Federal government or in 
commerce is being verified to know whether it is a valid number 
or not, and that kind of leads into what you were saying, is that 
way we can through verification, we can identify the misuse that 
is out there, and hopefully someday by government matching 
agreements, there will only be one person with one SSN of record 
in the Federal government. So, that is an issue with us on trying 
to prevent it. 

Mr. BECERRA. That is still more on the preventative side, which 
I think that is really where we have to go, because we don’t want 
to have victims. To some degree I think there is still some help we 
can provide. If you have a good verification system, that makes it 
easier for those who didn’t abuse their use of the card help that 
victim restore his or her good name and credit. So, if I am a bank 
and I wasn’t at fault, and some other entity allowed the number 
to be misused, at least I can help verify quickly the claim of that 
individual that indeed he or she is that person and not the other 
individual. 

One quick question for Mr. O’Carroll. My understanding is that 
your current policy is to allow 52 replacement cards per year — is 
for Social Security to allow 52 replacement cards per year. Why the 
heck are we at such a high number? It used to be 80-something, 
as I think Mr. Johnson said. Why the heck are we still at — why 
would anyone need more than one? I never pull out my Social Se- 
curity card itself as an identifier; it is just a number. So, why 
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would anyone need to request a card, even if you have lost the card 
itself? You know what your number is, or someone else does. Why 
would you need to request replacement cards? 

Mr. O’CARROLL. I think the logic that you are getting at and 
everyone else is, and as Mr. Johnson brought up, is probably for 
resale of that number or giving that card to somebody else, which 
is a concern on a fraudulent basis. One of the issues that the Agen- 
cy looked at and we were a part of was taking a look, instead of 
having that card, is maybe making it a certificate or something 
larger than a card that would be put away and wouldn’t be out in 
the common commerce on it. As with anyone, when you start think- 
ing about if we came up with a new format for a Social Security 
card, everybody in the United States would want a new one and 
you can imagine the implications that would be. So, from looking 
at it from, I guess, the mechanical side of it, yes, the card is really 
the number and not the card. 

Mr. BECERRA. Unlike a diploma you hang up on your wall, you 
are not going to put a SSN up on your wall. Once you have it, you 
want to store it away and hide it as best you can. So, let me ask 
you a real quick question. Do we ask for some form of certification 
or verification as to why you are requesting another card? Do we 
say to you, prove to me that you need it or why you need it? 

Mr. O’CARROLL. No. At this point, no, sir. 

Mr. BECERRA. So, Mr. Chairman, this to me seems like an area 
where we could immediately address this. Once you have got your 
card obviously we hope the people can be diligent in safekeeping 
their number. To have the SSA continue to allow people to get re- 
placement cards, which could really only be used for purposes of re- 
sale or for fraudulent purposes, this is something that 

Mrs. TUBBS JONES. Will the gentleman yield? 

[The opening statement of Ms. Tubbs Jones follows:] 

Opening Statement of The Honorable Stephanie Tubbs Jones, a 
Representative in Congress from the State of Ohio 

Mr. Chairman, 

Allow me to commend you on both your timing and your topic for this morning’s 
hearing. As national legislators we must tackle what is becoming the fastest grow- 
ing national crime trend in modern history: Identity theft! As so often happens with 
modern technology and high tech innovations, the use of technological advancement 
far out paces the public policy, protection measures and regulations governing the 
administration of technological advancement. 

While identity theft is on the rise and the social security number (ssn) is but one 
avenue to affect the crime, the prolific and generally accepted practice of use of the 
social security number as an identifier makes it a prime target. It is fitting that 
we, as Members of the Social Security Subcommittee, address the issue in an open 
forum. As Americans get older and increase the number of retirement/entitlement 
programs for which they are eligible — the use of the social security number becomes 
the number one identifier for all types of service providers. As we launch this mas- 
sive and still yet confusing voluntary national prescription drug program — we are 
once again offering to new and established entities the privilege to use the social 
security number as an identifier. 

The public and private sector have recognized and dialogued about the balance 
between the privacy issues and the protection of open commerce. Entities from the 
mortgage bankers, to national credit bureaus, to municipal records keepers and 
credit card companies — up to and including the U.S. government — have all come to- 
gether in one forum or another to address the issue. Before us today, we also have 
H.R. 2971 — of which I am a co-sponsor — “The Social Security Number Privacy and 
Identity Theft Prevention Act of 2003. This is clearly a step in the right direction. 
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Mr. Chairman, according to Federal Trade Commission (FTC) data (2002 is the 
most recent data available) my home state of Ohio ranks 30th in the nation in iden- 
tity theft cases and CLEVELAND, in my Congressional District, is number one in 
the state. I have provided copies of the FTC information as a part of my statement 
today and would like to have it included in the record of today’s proceedings. Local 
jurisdictions have highlighted the issue: the Associated Press reported how Ham- 
ilton County in the State of Ohio will hear recommendations from their task force 
to limit/restrict the amount of information — including the SSN from the county 
clerks’ Web site; NBC reported just last week on how blood donors at the UCLA 
Blood and Platelet Center may be unwitting victims of identity theft as a result of 
a misplaced laptop with all of their personal data — including the SSN! This follows 
the alleged theft of another UCLA laptop from their financial office that contained 
similar personal information that could put even more people at risk. The need for 
increased laptop security notwithstanding, perhaps we need to somehow limit both 
the demand for and the use of the SSN. 

In 1935, with the passage of the Social Security Act, every employee covered by 
the social security program had to have an identifying number. Since then, the Civil 
Service Commission; the Internal Revenue Service; the Treasury Department; The 
Veteran’s Administration; The Department of Defense — just to name a few govern- 
ment entities — have all made disclosure and use of the SSN an almost prerequisite 
identifier. We in Congress have made several attempts to monitor and regulate the 
use of this number. Mr. Chairman, I look forward to hearing from the witnesses this 
morning as they lend their expertise and personal experiences to our effort to lend 
some clarity and protection to the public. 


Mr. BECERRA. Certainly. 

Mr. JONES. I have a son who had to get a replacement card in 
order to get a passport or something. There was some other agency 
that would not accept that he did not have an SSN, and so it was 
a requirement that he needed to get a replacement. 

Mr. BECERRA. I think there is a perfectly good explanation, and 
therefore you could have some certification under penalty of per- 
jury or something that says, I need this card because this agency 
is requesting it, and there you have then something that gives you 
some sense of comfort that the person is requesting it for a purpose 
other than just because they want another card. 

Mr. JOHNSON. Yes, but not 80 of them. 

Mr. BECERRA. That is exactly it, and the way technology and 
automation works today, chances are that we should be able to 
have the U.S. Department of State or the agency that issues pass- 
ports talk directly to the Social Security agency, Federal govern- 
ment to Federal government, on whether or not this person has 
this number and it belongs to him or her. 

Mr. O’CARROLL. Social Security, the answer to that part of it, 
is working very closely with the U.S. Department of State, Immi- 
gration and Naturalization Servies, and U.S. Department of Home- 
land Security, on that type of a match for verifying that informa- 
tion. 

The other part of it, though, is you were saying on these replace- 
ment cards, and not to steal the thunder of your Committee, your 
Subcommittee on this thing that is one of the provisions of this 
thing, is to look at the issuance of the replacement cards, and it 
is part of the study that is being recommended. Quite frankly, we 
feel that that is a fraudulent loophole, the number of replacement 
cards that are out there. It is a throwback to days when all the 
SSN was used for was tracking wages. Everyone was happy to give 
out numerous Social Security cards at the time because it was for 
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the purpose of tracking wages, not as it is today where it is becom- 
ing a 

Mr. BECERRA. You don’t have to go to the SSA. I can tell you 
down at some streets in Los Angeles, where you can get the same 
card without having to ask the SSA to send you one. So, it is not 
as if there is some particular value in getting this replacement. 

Mr. O’CARROLL. Hopefully we are buying cards from that per- 
son and arresting them. 

Ms. BOVBJERG. Could I just jump in on this issue for just 5 sec- 
onds? Last year this Subcommittee had a hearing on some of these 
issues where the Commissioner was here where I testified, and we 
recommended that we not give out 52 replacement cards a year, 
that we at least reduce the number. There are some legitimate rea- 
sons to need replacement cards, but very few of them would require 
52. At that time, SSA said that they had in front of Office of Man- 
agement of Budget a proposal to reduce the number of cards per 
year and lifetime. That was a year ago. So, I don’t know what has 
happened to that proposal, but that is a recommendation that we 
have made as well to SSA. So, we share your concern. 

Chairman SHAW. I will inquire of the Commissioner and place 
that information in the record. 

[The information follows:] 

June 22, 2004 

Hon. Jo Anne B. Barnhart 
Commissioner of Social Security 
500 E Street, SW 
Washington, D.C. 20254 


Dear Commissioner Barnhart: 


We wanted to bring to your attention the issue of Social Security number (SSN) 
replacement cards, which was discussed extensively at our Subcommittee hearing 
on enhancing SSN privacy held on June 15, 2004. 

As you know, the Subcommittee had been informed previously that some unscru- 
pulous individuals may sell their legitimate SSN cards to others, thereby enabling 
them to work under an SSN that is not their own and to commit other forms of 
identity fraud. Both a witness from the General Accounting Office (GAO) and the 
SSA Acting Inspector General were asked whether the agency had changed its poli- 
cies to restrict the number of SSN replacement cards. Each replied that under the 
SSA’s current policies, individuals may obtain an unlimited number of replacement 
cards. 

To ensure the public record on this issue is accurate, please provide your current 
policies with respect to the issuance of replacement cards and whether any change 
to those policies is anticipated. 

Also, as you may know, a provision to limit the number of replacement cards has 
been included in the Social Security Number Privacy and Identity Theft Prevention 
Act of 2003 (H.R. 2971). Your comments on this provision would be welcomed by 
the Subcommittee. 

Your reply by July 9, 2004 is most appreciated. Should you have further ques- 
tions, please contact the Subcommittee Staff Director, Kim Hildred, at (202) 225- 
9263. 


Sincerely, 


E. Clay Shaw, Jr. 
Chairman 


August 2, 2004 

Hon. E. Clay Shaw, Jr. 

House of Representatives 
Washington, D.C. 20515 


Dear Mr. Chairman: 
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Thank you for your letter dated June 22, 2004, regarding the SSA’s (SSA) policies 
related to the issuance of replacement Social Security number (SSN) cards. You 
asked us to provide our policy on issuing replacement cards, and whether we antici- 
pate changes in that policy. You also asked for our comments on a provision in H.R. 
2971, the Social Security Number Privacy and Identity Theft Prevention Act, that 
would limit the issuance of replacement SSN cards. 

SSA currently has no limitation on the number of replacement SSN cards an indi- 
vidual may be issued (either over the course of a year or a lifetime), other than a 
protocol in its electronic processes that prevents the issuance of a replacement card 
within 7 days of a previous card issuance. Section 204 of H.R. 2971 would restrict 
the issuance of multiple replacement cards, specifying both yearly and lifetime lim- 
its. 

I, too, am concerned that issuing unlimited replacement cards may contribute to 
identity fraud. We are exploring ways to prevent individuals from obtaining replace- 
ment cards to facilitate someone else committing identity fraud. For example, I have 
instructed my staff to develop procedures that will identify instances where requests 
for replacement cards rise above a reasonable threshold. If fraud is suspected, SSA 
staff will follow established protocols and refer the matter to our Office of the In- 
spector General for appropriate action. 

We will keep you apprised of our activities in this area and would welcome the 
opportunity to continue to work with you to find an appropriate balance between 
our responsibility to provide the American people with the service they expect and 
deserve, and our commitment to deter SSN fraud. 

Thank you for bringing this issue to my attention. If I can be of further assist- 
ance, please do not hesitate to contact me or have your staff contact Mr. Robert M. 
Wilson, Deputy Commissioner for Legislation and Congressional Affairs, at (202) 
358-6030. 


Sincerely, 


Jo Anne B. Barnhart 
Commissioner 


Chairman SHAW. I want all of you to know that you have wit- 
nessed a very historic moment where Mr. Johnson and Mr. Becerra 
are in full agreement. 

Mr. JOHNSON. That is California and Texas. 

Mr. BECERRA. Mr. Chairman, that is worth putting on our wall 
as some kind of diploma. 

Chairman SHAW. I have made note of it. Ms. Tubbs Jones. 

Mrs. TUBBS JONES. Thank you, Mr. Chairman. Good afternoon 
to the witnesses. I want to pick up on one of the questions that was 
asked. My staffer Melvena says: how do private sector entities gain 
access to our Federal verifying mechanisms in order to use Social 
Security as an identifier? 

Ms. BOVBJERG. I can talk about the employer side. I can talk 
about the motor vehicle side. They can do it in several different 
ways. It depends on how many records they want to verify. They 
can do it by phone, they can do it online. As a practical matter, 
though, employers don’t do this. They don’t verify. We are doing 
work right now for this Subcommittee that is due out in the winter 
on the effect that this has. Specifically, on the records that Social 
Security doesn’t know what to do with because the name, date of 
birth, and the number don’t match, and these records are coming 
from employers. 

Mrs. TUBBS JONES. For example, my automatic teller machine 
card, if I go on line or call a number, 1-800, whatever it is, I call 
and I say I want to access my checking account. Then they ask me 
for my SSN to be put into the system in order to access my check- 
ing account. Then they ask me for a 4-digit pin number, which is 



54 


also part of my SSN, to get to my checking account. What kind of 
regulation do we have on that? 

Ms. BOVBJERG. The reason they have your number is because 
financial institutions are required to have that information for tax 
purposes. 

Mrs. TUBBS JONES. Okay. So, that then allows them an option 
to go wherever else they want to go with it, because they have ac- 
cess to the number in that way. 

Ms. BOVBJERG. Well, I would like to think that they are not 
only asking you for your number but for something like your moth- 
er’s maiden name or something like that, because just having the 
number, if someone were to. 

Mrs. TUBBS JONES. That might be private too, though. I’m kid- 
ding, go on. 

Ms. BOVBJERG. You want something that if someone has your 
SSN, they couldn’t go back to the bank. 

Mrs. TUBBS JONES. I understand, but what I am saying the 
import of it is, is that they are using this number that supposedly 
was supposed to be sanctimonious or sanctified; it would never be 
able to be used for any other purpose very easily in the process. 
I think I would agree with my colleague here, that maybe what we 
need to do is to put some imposition or some requirement on those 
that use it to be able to provide some protection for the public 
when they choose to use it in a way that benefits their particular 
process. 

Let me go to the gentleman from the Inspector General’s Office. 
I come from Cleveland, Cuyahoga County, former District Attorney 
in Cuyahoga County. So, we did a lot of work with postal inspec- 
tors. One of the most difficult things about prosecuting much of the 
theft, or identity theft in many of the areas, is that very few people 
want to really do white-collar crime. It takes a lot of work, it takes 
a lot of money, it takes a lot of time to invest in that type of work. 
What has been your success with, once you get a document or have 
done your research, gotten it together — prosecution of identity 
theft? 

Mr. MAXWELL. I mentioned earlier that of our 10,000 arrests 
for all crimes last year, 3,000 were identity theft, which is a very 
large proportion. That tells me — plus, of the cases I have read and 
been briefed about, we have a very good track record that way. 
There are cases that aren’t as attractive enough to prosecute, but 
if you have generally more than one complaint or if one victim has 
a large loss and it is a complex matter, generally the U.S. Attorney 
will be more than happy to devote resources to it. If it is not a 
large loss, if there are very few victims, generally the climate — and 
that is true universally for fraud cases. 

Mrs. TUBBS JONES. Coming from the State prosecutor’s office, 
we always go back and forth as to whether the States and the Feds 
really pay attention to what cases. Just for the record, Mr. Chair- 
man, I would like to submit something from the FTC that shows 
figures and trends in Ohio. 

[The information follows:] 
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Mrs. TUBBS JONES. It shows that Ohio is 30th in the country 
in number of States with regard to identity theft. Unfortunately, it 
shows that the city of Cleveland, which is my congressional dis- 
trict, is number one in the city in the State of Ohio with identity 
theft issues. I am standing up for all those great people from the 
city of Cleveland and greater Cleveland. 

I am encouraged that we are holding this hearing, Mr. Chair- 
man, and I am looking forward to having the opportunity to work 
with you to deal with the issue of identity theft because it becomes 
very, very important, particularly when we begin to talk about 
those senior citizens who have to go through a long process in order 
to get through. They are having a hard enough time getting pre- 
scription drug discount cards right now, to have to go through this 
and do anything else. I thank you, Mr. Chairman, and I don’t have 
any time to yield back. 

Chairman SHAW. Thank you. Mr. Brady. 

Mr. BRADY. Thank you, Mr. Chairman, for holding this hearing, 
this important issue. Although I will confess there are days as a 
Member of Congress when I would pay someone to steal my iden- 
tity, so you would have to take all that goes with it, but you can 
have it. I want to talk to Ms. Bovbjerg, if I could, about the enforce- 
ment issue so we can get a little better picture. We talk about this 
at each of the hearings, but who is responsible for ensuring that 
businesses and those to whom they sell SSNs only disclose accord- 
ing to law? Who monitors the day-to-day release? Who prosecutes 



59 


them, and how many businesses, I don’t need the number, but how 
often do we really go after those who are breaking the law in this 
matter and what kind of penalties do they get? 

Ms. BOVBJERG. With regard to the private sector, I want to be 
careful with how I talk about this. The business that is collecting 
the number, the consumer reporting agency, there are rules about 
how they can disclose and what they can do with the other entity 
with whom they are doing business. 

What happens after it goes to the other entity, who knows? It 
seems like something of an honor system where, if it happens to 
you or to me that our identity is stolen, we might ultimately track 
it back to that entity and we would file a complaint and there 
would be Federal law enforcement involved. I am a little bit con- 
cerned that it seems very indirect. Our sense is that the collecting 
entity is complying with the law. They seem concerned about that; 
they have made changes to their systems to do that, but once they 
have that contract with the other entity, that the other entity signs 
and says we know we are not supposed to disclose and we are not 
going to do it, who knows what happens after that? It is sort of a 
very trusting kind of a system. 

Mr. BRADY. So, do we often catch bad actors violating the law? 

Ms. BOVBJERG. With that, I would have to turn to the law en- 
forcement folks at the table. It is too bad the FTC person isn’t still 
here. 

Mr. BRADY. Jump in. 

Mr. MAXWELL. As I keep alluding to the numbers, it is one of 
our largest proportion of criminal prosecutions in our cases; of 
10,000 arrests, we arrest 3,000 for identity theft alone, not to men- 
tion the number of investigations that we conduct just involving 
identity theft. The fact that it is so widespread, the fact that the 
Internet has generated vast numbers of opportunities for these peo- 
ple to conduct the fraud in combination with the mail really en- 
hances our field for it. However, as your colleague alluded to be- 
fore, depending on the district, the prosecutions may differ. There 
may be higher guidelines for prosecution than in others. 

We do take our cases to the State offices as well if we can’t get 
prosecution Federally and we think it is a very good case but re- 
sources do not permit, or other reasons. Sometimes we have had 
luck there. I don’t have the numbers in my head from that, but I 
could provide those if that would be a benefit to anyone here. 

Mr. BRADY. What kind of penalties do the businesses face if 
they release unauthorized numbers? 

Mr. MAXWELL. That I would have to refer to probably be more 
of a 

Mr. O’CARROLL. That is really outside of our purview on the in- 
formation that businesses release. The FTC probably would have 
been the best to speak on that, Mr. Brady. 

Mr. BRADY. So, you do the prosecutions, you do the investiga- 
tions, but you don’t track what the ultimate outcome is? 

Mr. MAXWELL. Oh, yes. No, we do in our cases. We take a case 
from opening to closing. If we have a complaint or if we identify 
a situation, we will investigate it, we will follow it through, we will 
present it to the U.S. Attorney, and we will sit at the table with 
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them if there is a trial. We don’t close the case until there is a con- 
viction and a termination. 

Mr. BRADY. What kind of penalty? What would be an average? 
What happens? 

Mr. MAXWELL. It depends on the statute that is used. Some- 
times it is 1029, which is the access device. That is primarily a Se- 
cret Service jurisdiction. Our favorite and the one that we hold 
claim to is mail fraud. So, again, it could take penalties up through 
prison term over 5 years, depending on what is adjudicated based 
on the guidelines, the sentencing guidelines, and moneys can be up 
to 10,000 or more depending on the severity. 

Mr. BRADY. What is the most common case? Someone who has 
a pattern and has done a number of these fraudulently, for a first 
offense, what are they going to get? 

Mr. MAXWELL. The first offense. I would suspect again, I cited 
the Carl Lomax case in Pittsburgh last year, and he took the iden- 
tity of several celebrities, notably Will Smith, the actor. I forget 
what he was sentenced to exactly, but it was several years in pris- 
on, probably under f5, with penalty, but he agreed to cooperate 
with us. There is often an incentive there for them to cooperate. He 
produced a video telling the different techniques he has, so we can 
use that for our training, but the average, it would be hard for me 
to say without averaging it, taking a look. 

Mr. BRADY. Do we need stronger oversight and stronger pen- 
alties? 

Mr. MAXWELL. I am more of a fan of the prevention ends. I 
think our criminal statutes, Congress has definitely equipped us 
well. It is a matter of getting access to information, it is a matter 
of people knowing who to report it to. It is a matter, as earlier dis- 
cussed, of cooperation with the private sector, with the companies 
which we address through different task forces. Any encourage- 
ment coming from the Federal Government certainly helps. I think 
as far as the statutes that are now on the books, I think we are 
fine. We are happy with mail fraud and 1029. 

Mr. BRADY. I guess my thought, and I will wrap it up with this, 
Mr. Chairman, is that I think there are a lot of things we can do 
on prevention. I worry that the horse is out of the barn on SSNs; 
that one of the things we can do is to try and discourage bad actors 
from using them in fraudulent ways. The way you do that is to 
make it pretty tough on those who do and introduce some element 
of you may well get caught in doing this even on a smaller scale. 
That always means more resource and different approaches, but 
prevention we have got to do much more there. We talk about it 
a lot, but, I think we also, whatever we can do on enforcement I 
think may help the numbers that are already floating out there, 
which is probably everyone in this room, by the way. 

Mr. MAXWELL. One of the things that I often refer to in a strat- 
egy is, you can work a number of cases and that looks good, but 
if you work several with some notable names, that brings it to the 
forefront in the media, like this Will Smith case. We also used 
Jerry Orbeck in that campaign over there, where he was a victim 
of identity theft and he talked specifically of his individual case. 
The public often can recognize an affinity with that celebrity. So, 
that helps, too. So, yes, you are right. Deterrence, the arrests, but 
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also get it out in the media, get it out, announced, and talk about 
it. 

Mr. BRADY. Thank you, panel. Thank you, Mr. Chairman. 

Chairman SHAW. I thank all of you. Mr. Pomeroy tells me that 
his questions have been answered by the witnesses. So, this panel 
is dismissed with our appreciation. Thank you very much. The cur- 
rent status of the Committee is that the bells that you heard have 
been calling us to the floor. We have been told that there are going 
to be four votes. That takes a little while, but what I would like 
to do is to introduce the second panel, and then we will recess until 
approximately 1:00 pm. That will give everyone a chance to taste 
the wonderful food we have here in the Capitol. You have eaten 
here before, huh? 

The next panel will be made up of Patricia Foss, from Elkton, 
Maryland. Mark Ladd, who has already been introduced as the 
Public Sector Co-Chairman of Privacy/Access Workgroup (PRIA) 
from Wisconsin. Chris Hoofnagle, Associate Director of the Elec- 
tronic Privacy Information Center (EPIC). Brian McGuinness, who 
is the First Vice President of the National Council of Investigation 
and Security Services (NCISS). He is from my State in Miami, 
Florida. Mike Buenger, who is the President of the Conference of 
State Court Administrators (COSCA), Jefferson City, Missouri. Mr. 
Hulshof wants to introduce him, so I will yield to Mr. Hulshof at 
this time. 

Mr. HULSHOF. As I referenced earlier and had a chance to chat 
with Mike, it is great to have him here. Not only is he our State 
Court Administrator, but he is the President of the national organi- 
zation. We are honored to have him here today, Mr. Chairman. 

Chairman SHAW. Thank you. We also have Fred Cate, who is 
Professor of Law at the University of Indiana, and Edmund 
Mierzwinski, who is the Consumer Program Director of the U.S. 
Public Interest Research group (PIRG). We welcome all of you, and 
we look forward to seeing you at 1:00 p.m.. We will stand in recess. 

[Recess.] 

Chairman SHAW. If the witnesses will take their seats, we will 
resume the hearing. Thank you for tolerating our schedule, which 
is always somewhat unpredictable. Ms. Foss, you are going to lead 
off, please. 

STATEMENT OF PATRICIA FOSS, ELKTON, MARYLAND 

Ms. FOSS. Thank you, Mr. Chairman, for the opportunity to talk 
about my experience as an identity theft victim and also know that 
I, as a victim, applaud you all for looking at this serious issue. Like 
millions of Americans, my experience began when I was notified by 
my bank that my credit had been suspended due to nonpayment. 
After contacting the bank, I learned to my surprise another woman 
had received thousands of dollars of credit using my name and my 
Social Security card. She had my birth date off by 1 day. I was 
stunned to learn that she had gotten a home improvement loan 
from one bank and an automobile loan from another bank. I am not 
sure about the car, but we know she did not have a home. My SSN 
virtually gave her everything she needed to steal my good name 
and my good credit. 
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That was the day I received an introduction to the crime of iden- 
tity theft and how easy it was to be a victim, even when people like 
me are extremely careful of their personal information. I was fortu- 
nate enough when I was talking to the bank to receive good advice 
from them about what I had to do next and who to contact and 
what agencies I needed to talk to. That was when the real work 
began. I understand that an average identity theft victim spends 
over 30 hours trying to clear their name and prove their innocence. 
I can tell you I definitely exceeded that, especially if you count the 
nights when I laid awake and wondered what was going to happen 
next. 

At the time that this happened to me, it was back in 1999 and 
it really wasn’t a common thing at the time, so I and countless 
other people hadn’t even heard of what it was. It took a lot of my 
time, my life away from me. This is the example of the file that 
I kept for a year of trying to get all the paperwork done that was 
required of me to prove that I was indeed who I am. It was, seri- 
ously, like having another job. I had to send to each credit bureau 
as well as countless banks that the other me had used notarized 
letters and documents like my birth certificate and my driver’s li- 
cense and including my SSN. It was kind of ironic, because I felt 
more vulnerable having all that information now out there for 
countless other strangers in trying to prove my innocence than I 
had ever done before the crime happened in the first place. 

I spent hours on hold, and I spent hours in transfer hell. I had 
to take time off of work to visit my own bank and get things nota- 
rized pretty much on a daily basis at least for the first couple of 
months, and it really took me over a year of dealing with at least 
20 different organizations to completely clear the credit reports and 
prove that I was the victim and not the criminal. I still check my 
credit reports at least biannually for fear that either this woman 
or somebody else is going to use my identity again. 

In hindsight, I was really one of the lucky people. Unlike many 
cases, the police actually arrested the woman who was imper- 
sonating me. She was, ironically, an acting student. I thought that 
there was some humor in that. I was told that she walked in one 
of the banks that I had reported the crime to and was leisurely 
making another withdrawal out of an account that she had in my 
name. After she was caught, I was afraid that she also had my 
home address and there would be repercussions once she found out 
that I had turned her in, and so I spent a few nights in fear over 
that. I completed a form to be notified as to what had happened 
in her trial, and the next I heard was last week when I was asked 
if I could testify before this Committee. I know since my experience 
numerous State and Federal laws have been passed to criminalize 
identity theft, and I think it is better than it was when this hap- 
pened to me, but I would say that much more still needs to be 
done, because the number of identity theft victims continue to in- 
crease every year. 

Chairman Shaw, I applaud your efforts to restrict the dissemina- 
tion of SSNs. To this day, I still don’t know how this woman got 
mine. No one does, and she didn’t admit anything when she was 
prosecuted, apparently. As you go through your deliberations I 
guess I would ask you to consider the following things: I believe 
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that credit grantors are a big part of the problem. I don’t under- 
stand why they don’t check more into people’s credentials before 
they hand them money. If they don’t follow those kind of proce- 
dures, shouldn’t they be somehow accountable in some ways? I 
can’t understand that kind of carelessness as what happened with 
me. 

Also, I guess I would ask, where is the funding for enforcement? 
I know that there are punishment penalties in the bill. If there is 
not money for enforcement, I can’t imagine that many of these peo- 
ple are going to be caught. Truly, the heroes in my story were the 
police, one bank’s fraud officer, the postal inspectors and the spe- 
cial agents in the Social Security Office of the Inspector General, 
but I was one of the lucky ones. Last, I feel that I would like to 
see more funding for agencies like the SSA or some agency so that 
people like me could have a central point of contact and somebody 
to help them through the mass of paperwork that is required of 
them. Thank you again for letting me tell my story. 

Chairman SHAW. Thank you. If I may, just out of curiosity, was 
she found guilty and what was her penalty? 

Ms. FOSS. I just found that out yesterday, which was inter- 
esting. She was prosecuted. She was found guilty. The sentence 
was, I believe, 6 months; and she was required to pay back $69,000 
in restitution to the organizations that had given her the money. 

Chairman SHAW. So, the system worked in your case. 

Ms. FOSS. The system worked in my case, but it sure took a long 
time. 

[The prepared statement of Ms. Foss follows:] 

Statement of Patricia Foss, Elkton, Maryland 

Chairman Shaw and members of the committee, thank you for the opportunity 
to talk about my experiences as a victim of identity theft. I’m grateful to you for 
addressing this critical issue. 

Like millions of other Americans, my experience began when I was notified by my 
bank that my credit had been suspended because of non-payment. After contacting 
the bank, I learned to my surprise that another woman had received thousands of 
dollars of credit using my name and my perfect credit history. I was stunned to 
learn that she had obtained a home improvement loan at one bank, and an auto- 
mobile loan from another. My social security number had provided her with the ac- 
cess she needed to damage my good name and credit. 

That was the day I received an introduction to the crime of identity theft, and 
how easy it was to become a victim, even when you’re careful about your personal 
information. 

I was fortunate enough to receive good advice from my bank, MBNA, and was pro- 
vided information on how to respond. But that was where the real work to prove 
my innocence began. I understand that on average an identity theft victim spends 
over 30 hours proving their innocence. I’m sure I exceeded that number, especially 
if you count the nights I lay awake wondering where she would strike next. She 
not only stole my identity, she took weeks of my life away from me. 

I had to send each credit bureau, as well as the countless banks the other “me” 
had used, notarized letters and copies of documents like driver’s license and birth 
certificate. I spend hours on hold and in transfer hell. I had to take time off of work 
to visit my own bank, and had to deal daily with proving I was the real Patricia 
Foss. It was truly like having a second job. 

It took me almost a full year of dealing with over 20 different organizations to 
completely clear my credit reports and prove that I was the victim, and not the 
criminal. I still check my credit reports biannually with the fear that sooner or 
later, this woman, or someone else, will use my identity again. 

In hindsight, I was one of the lucky ones. Unlike many cases, the police actually 
arrested the woman who stole my identity. She was appropriately, an acting stu- 
dent. I was told that she walked into one of the banks to which I’d reported the 
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crime and was leisurely making another withdrawal. After she was caught, I was 
afraid that she also had access to my home address and would threaten my safety 
once she realized that I’d reported her crime. I had completed a form to request that 
I be notified of the outcome of her trial. That was the last I heard until last week 
when I was contacted about testifying before this subcommittee. 

I know that since my experience, numerous state and federal laws have been 
passed to criminalize identity theft. More obviously needs to be done as the number 
of identity theft victims continues to increase every year. 

Chairman Shaw and members of the subcommittee, as a victim, I applaud your 
efforts to restrict the dissemination of social security numbers. To this day, I still 
do not know how this woman impersonating me obtained mine. As you go through 
your deliberations, I would also ask you to consider the following; 

• Credit grantors continue to be a part of the problem. Shouldn’t banks and other 
credit grantors be required by law to conduct a more complete check of creden- 
tials before handing people money? If they don’t follow such procedures, 
shouldn’t they be held accountable in some way? I do not understand how they 
can afford to be so careless. 

• Where is funding for enforcement? I was pleased with the provisions to add 
more criminal penalties to punish identity theft criminals. But if there isn’t 
money for enforcement, they won’t be caught in the first place. The heroes in 
my story were the police, one bank’s fraud officer, and the postal inspectors. But 
then, I was lucky. 

• More funding is needed for agencies like the Social Security Administration to 
help victims have a central point of contact and assistance negotiating the mass 
of paperwork required to clear their name. 

Thank you for the opportunity to speak with you about my experience. 


Chairman SHAW. Yes. Mr. Ladd. 

STATEMENT OF MARK LADD, PUBLIC SECTOR CO-CHAIR, PRI- 
VACY/ACCESS WORKGROUP, PROPERTY RECORDS INDUS- 
TRY ASSOCIATION, RACINE, WISCONSIN 

Mr. LADD. Good afternoon, Mr. Chairman. Again, I am Mark 
Ladd. I am the Register of Deeds for Racine County, Wisconsin; 
and I am the Public Sector Co-Chair for the PRIA’s Privacy/ Access 
Workgroup. I appreciate the opportunity to come and speak regard- 
ing H.R. 2971 and its impact on land records custodians. The 
collateralization of real property is a fundamental part of our econ- 
omy. Leveraging real property is possible because of the publicly 
available information regarding a specific parcel of land. Our Na- 
tion’s private ownership of land is based on a necessary access to 
publicly recorded land information. 

On the other hand, citizens are concerned that personal informa- 
tion is sometimes contained in these real property records and can 
be used for identity theft. By example, SSNs are often included in 
mortgage documents, tax liens, divorce decrees and other docu- 
ments that convey real property. However, for land records 
custodians, there is little legal purpose for having that number in- 
cluded in the record. 

The PRIA hosted a roundtable forum on this topic back in Feb- 
ruary of 2003. We had 25 different roundtable participants with a 
broad range of industry expertise: State, local government, Federal 
government representatives, land records officials, trade associa- 
tions from the real estate industry, as well as a couple of organiza- 
tions dedicated to consumer privacy. At the conclusion of the 
roundtable, we actually spun up a Privacy/Access listserve, an e- 
mail discussion to continue to foster additional conversation on the 
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topic. That list serve discussion was followed up by 2 days of facili- 
tated educational discussions during our winter conference earlier 
this year. In the discussions, we reviewed the historical founda- 
tions of American’s land records system and our public records 
laws and then we debated several suggestions for model legislation. 

It is with this background in mind that I would like to offer our 
comments regarding H.R. 2971. Section 101 of the bill prohibits the 
display to the general public of a SSN and then goes on to define 
“display” as posting on a website. Well, the Internet has become an 
important tool for many land records custodians to publish records. 
More and more counties are developing Internet -based sites de- 
signed so that citizens can conduct business with government when 
it is convenient for the citizens, and these sites often include data 
as well as images of documents. 

Now, again, our discussions show that few occurrences of the 
SSN land records are required by government agencies or required 
by land record agencies, but, rather, they may be required by the 
Internal Revenue Service or State taxing authorities. A lot of times 
SSNs appear in a document, and they are placed there by the docu- 
ment preparer for the benefit of their business process or the busi- 
ness process of one of their partners. However, we have no statu- 
tory authority under current law to refuse to enter these docu- 
ments into the public record. In its current form, this bill would 
prohibit us from using the Internet to post our records, and this re- 
moves an important tool from our use. Another thing to note is, 
even with this provision, SSNs can still become part of the public 
record and an individual’s privacies are at risk in the courthouse 
because, again, these are public records that anyone can come and 
obtain. We would think that there are several elements that need 
to be addressed in any type of legislation to deal with this issue. 

First, we applaud this provision of H.R. 2971 in that this needs 
to be on a day forward basis. Redaction and the expunging of the 
records is physically difficult, if not impossible. The prohibition 
should be on putting the SSN in any document that will become 
part of the public record, and this should also include the authority 
to public records officials to reject the recording. However, that au- 
thority needs to be permissive, rather than prescriptive. Prescrip- 
tive authority is impossible for us to manage. The sheer volume of 
documents to check for that SSN in a 27-page mortgage, in an of- 
fice of my size only 300 documents a day, in larger offices thou- 
sands of documents a day, it is just impossible to manage. 

If a document contains a SSN, after this law is adopted, we 
would suggest that land records officials be empowered to redact 
the number. That is an important provision for an administrative 
function that we provide. Providing certified copies of documents 
requires us to provide an exact copy of the document that was pre- 
sented to us. Without that type of authority, we can’t fulfill that 
role. Again, we recognize that it is an impossible task for land 
records officials to manage. We are poor gatekeepers, just due to 
the size of the task, but we believe that our recommendations can 
provide the goal of protecting SSNs without jeopardizing the flow 
of commerce or placing an unbearable burden on the shoulders of 
local government. I look forward to answering further questions as 
the hearing continues. Thank you. 



66 


[The prepared statement of Mr. Ladd follows:] 

Statement of Mark Ladd, Public Sector Co-Chair, Privacy/Access 
Workgroup, Property Records Industry Association, Racine, Wisconsin 

Good morning Mr. Chairman and members of the Committee: 

My name is Mark Ladd. I am the Register of Deeds for Racine County, WI, and 
I am the Public Sector Co-Chair of the Property Records Industry Association 
(PRIA) Privacy/Access workgroup. I appreciate the opportunity to speak to you today 
regarding personal information and privacy issues as it relates to the land records 
industry. 

The PRIA is a public/private partnership and its mission is to work together to 
identify issues, define problems and develop solutions to bring consistency to the 
property records industry. The PRIA membership includes over 260 land records of- 
ficials and 105 private sector partners. The PRIA has completed projects such as 
developing a document-formatting white paper, notary essentials white paper and 
created the model statute for Military Discharge (DD214s) documents and developed 
the Military Discharge DD214 Tangible Interest form. The PRIA currently has sev- 
eral projects in development including, Electronic Recording Standards in alliance 
with the Mortgage Bankers Association; Archival Back-up and Disaster Recovery; 
Parcel Code Review; 1 st Page Indexing Requirements and the Records Access Policy 
Advisory Committee. 

The collateralization of real property, often taken for granted, is a fundamental 
part of our economy. Leveraging real property is possible because of the public avail- 
ability of information regarding a specific parcel. Our nation’s private land owner- 
ship is based on necessary access to publicly recorded real property information. For 
many reasons, the property record system requires that the general public have a 
right to know who owns or has certain interests in real property. Two of these rea- 
sons, for example, are: 

(1) to protect the investors lien rights, and 

(2) to assure fair assessment and taxation of like properties. 

On the other hand, citizens are concerned that personal or sensitive information 
is sometimes contained in real property records and may be used for criminal intent, 
such as identity theft. An example of sensitive information with little legal purpose 
to protect investor lien rights, yet quite useful to identity thieves, is a Social Secu- 
rity number. Social Security numbers can appear in some mortgage documents, tax 
liens, or even a divorce decree that conveys real property. 

Privacy interests and the interest for disclosure of land records information often 
appear at odds with each other. This poses a dilemma for land records officials at- 
tempting to balance these two points of view. This is perhaps one of the greatest 
public policy questions faced in recent years. The PRIA is convinced that a workable 
balance can, and in fact, must be reached on this issue. That balance should protect 
personal privacy without impeding commerce or overburdening land records offices. 

Realizing there was little or no communication between various groups within the 
United States regarding Privacy and Access issues, the PRIA convened the nation’s 
first roundtable forum in WashingtonD.C. on February 26, 2003 to discuss this 
issue. 

The 25 roundtable participants covered a broad range of industry representatives 
including representatives of the federal government (IRS and GAO), state and fed- 
eral court systems, Land Records Officials, national associations in the real estate 
industry including the National Association of County Recorders, Election Official 
and Clerks, the International Association of County Recorders Election Officials and 
Treasurers, the American Land Title Association, the American Escrow Association, 
the National Public Records Research Association, the Mortgage Bankers Associa- 
tion, the Appraisal Institute, American Bar Association, national credit bureaus, as 
well as two of the most influential organizations dedicated to consumer privacy 
issues. In addition, there were 150 registered observers, representing a broad spec- 
trum of the industry. 

Several topics were covered during the roundtable in a lively, thought provoking, 
daylong discussion. The PRIA has minutes and created a CD, both are available on 
the PRIA website located at www.pria.us 

At the conclusion of this meeting the PRIA formed a committee to continue to ad- 
vance this issue. A Privacy/Access listserve was established as a forum to foster ad- 
ditional discussion on the topic of personally identifiable information contained in 
public records. The listserve activity included a discussion of: 

(1) what information is required for the conduct of commerce? 

(2) could rules relating to document creation address the needs of all interested 
parties? and 
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(3) should we consider restricting access to certain types of records? 

The list serve discussion was followed by two days of facilitated educational dis- 
cussions during our 2004 Winter Conference in Washington D.C. During these dis- 
cussions PRIA members reviewed the historical foundations of American public 
records and then addressed the policy issue by debating several suggestions for 
model legislation. 

It is with this background in mind that we offer the following comments relating 
to HR 2971. 

Section 101 of the proposal contains a prohibition of the “display to the general 
public” of a Social Security number (Page 3, Lines 18 &19). “Display” is later clari- 
fied as “to intentionally place such number in a viewable manner on an Internet 
site.” 

The Internet has become an important tool for many land records custodians to 
publish records. More and more counties are developing what is being called a “vir- 
tual courthouse.” These Internet based sites are designed so that citizens can con- 
duct business with government when it is convenient for the citizen and these sites 
can include data as well as images of documents. 

The PRIA discussions reveal that few occurrences of the Social Security number 
in land records are required by any government agency with the exception of the 
IRS and state taxing authorities. For non-taxation documents, the Social Security 
number is normally included by the document preparer for the benefit of their busi- 
ness practices or that of a business partner. While the problems associated with this 
practice may seem obvious to us, this is a standard practice with a number of finan- 
cial institutions. Land records officials have no statutory authority under current 
law to refuse to record such documents. 

In the bill’s current form, this provision would prevent land records custodians 
from posting currently recorded land records on the Internet, thus removing an im- 
portant tool from our use. 

Another provision of Section 101 further defines a Social Security number as “any 
derivative of such number” (Page 5, Lines 20 & 21). 

Some land records officials have had conversations with the IRS regarding remov- 
ing the Social Security number from Federal Tax Liens. One solution often repeated 
by the IRS is including only the last four digits of the Social Security number. This 
would appear to be a violation of this provision. Since Federal Tax Liens attach to 
an individual and not a specific parcel of real property, it will become very difficult 
for title searchers to determine the applicability of these liens. 

Section 102 requires the Attorney General to consider the cost or burden to local 
governments of complying with the restrictions imposed by any rules to be adopted 
under this bill (Page 8, Lines 1-7). 

This clause is helpful, as the task of assuring that documents, some of which may 
be quite voluminous, do not contain Social Security numbers, represents a Hercu- 
lean undertaking on a daily basis, even in the smallest of jurisdictions. 

Using Racine County as an example. Racine County has a population of 190,000 — 
a medium sized county. In 2003 Racine County recorded just under 80,000 docu- 
ments that contained approximately 400,000 total pages. That equates to 1600 
pages that must be reviewed by a staff of 6, every business day. During most of 
2003 the office was operating with a backlog of 2-3 weeks, without any requirement 
to search for Social Security numbers in the documents. 

Most of the review that staff performs on real estate documents is done by check- 
ing the first and last pages of a document. If we were required to check for the in- 
clusion of a Social Security number, which could be anywhere in the document, it 
would more than double the task of reviewing documents. 

From a national perspective there were approximately 125 million real property 
documents recorded in 2003. 

Section 201 moves to another area that local government offices administer, spe- 
cifically, birth records. This section contains a requirement to independently verify 
any birth record provided in support of the application process (Page 20, Lines 21- 
23). 

The PRIA would like clarification of this provision’s intent and impact. Our con- 
cern is that vital record offices issue certified copies of birth records that contain 
a certification statement that includes the issuing officer’s signature and the depart- 
ment seal. Most states have adopted (or will soon be adopting) standards for secu- 
rity paper to be used for these certificates. These standards include features that 
make the paper tamper evident. Independent verification from State and local of- 
fices would only be necessary when a certificate appears to have been altered or is 
not on security paper. 

The financial burden to state and local governments in implementing any aspect 
of this provision should be addressed as well. 
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Section 201 goes on to require a feasibility study, which includes the costs of elec- 
tronic third party verification of identity documents (Page 21, Lines 16-21). 

Most state and local offices are only beginning to investigate the costs of devel- 
oping such systems. We cannot overstate the fact that the current fiscal environ- 
ment faced by most state and local governments makes this type of development a 
challenge even when policy makers support the goals and benefits of such an under- 
taking. 

In Wisconsin, I serve on the committee that has been assembled by the Depart- 
ment of Health and Family Services Vital Records Bureau to develop the specifica- 
tions for such a system. My optimistic estimates are that this project could be mini- 
mally operational in two to four years with a mature system being six or more years 
down the road. 

As I stated in my introductory remarks, the Property Records Industry Associa- 
tion has had extensive discussions regarding this topic and I would now like to offer 
our suggestions as to elements that this type of legislation should encompass. 

1. Legislation should be effective on a “day-forward” basis. It should not require 
redaction or expungment in records already filed or recorded. 

2. Consider prohibiting the inclusion of Social Security numbers on documents 
that will become part of the public record. This could include providing land records 
officials the authority to reject a document for filing/recording that includes a Social 
Security number. Practically speaking however, rejection authority needs to be per- 
missive rather than prescriptive. As I described earlier, the shear volume of docu- 
ments and the number of pages involved will make prescriptive authority difficult 
to manage. 

3. Next we suggest that if a document recorded after the effective date of the leg- 
islation contains a Social Security number, the land records official should have the 
authority to redact the Social Security number from the document. 

This is an important provision for an important ministerial function — that of pro- 
viding certified copies of records in our offices. Our certification statement requires 
that we provide an exact copy of a recorded document. We need to be explicitly em- 
powered to redact the Social Security number without compromising the integrity 
of future certified copies we issue. 

4. The PRIA acknowledges the nearly impossible task faced by land records offi- 
cials in attempting to keep Social Security numbers out of the public record and it 
believes this responsibility is more properly placed on document preparers and indi- 
vidual consumers. Accordingly, PRIA believes that, for any law prohibiting a Social 
Security number in land records, land records officials should be immune from suit 
relating to documents filed/recorded that include Social Security numbers. 

While land records officials will assist when and where they can, the scope of the 
task of checking every page of every document for Social Security numbers is simply 
beyond their ability to perform. The time to prevent Social Security numbers from 
becoming part of the public record is when the document is created — before the par- 
ties execute them, not when they are presented for recording. 

There is simply too much dependence in today’s marketplace on the social security 
number. The PRIA believes education is a major component in developing solutions 
to this problem. Already we are seeing insurance companies and others using an 
alternative ID number on insurance cards rather than the social security number. 

Utilizing existing associations such as the PRIA, Mortgage Bankers Association, 
Fannie Mae, Freddie Mac, American Land Title Association, American Escrow Asso- 
ciation, etc. and with the help of the federal government, this problem can be dras- 
tically reduced if not eliminated. 

Thank you for giving the PRIA the opportunity to address this important public 
policy issue. Our discussions and policy debates instruct us that the time to address 
this problem is during the drafting of the documents. We believe that our rec- 
ommendations can achieve the goal of protecting Social Security numbers in regards 
to the public record without jeopardizing the flow of commerce or placing an unbear- 
able burden on the shoulders of local government. 


Chairman SHAW. Thank you, Mr. Ladd. It sounds like you may 
need a State statute. Mr. Hoofnagle. 
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STATEMENT OF CHRIS JAY HOOFNAGLE, ASSOCIATE 

DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER 

Mr. HOOFNAGLE. Thank you, Chairman Shaw, for holding this 
hearing today and for continuing to build a rich legislative history 
on why Congress needs to act to enhance the privacy and integrity 
of SSNs. My name is Chris Hoofnagle. I am Associate Director with 
the EPIC. We have been involved with SSN regulation for many 
years and also in litigation. We filed an amicus brief in a very im- 
portant case known as the Amy Boyer case where a woman was lo- 
cated and essentially stalked through the help of a data broker and 
a private investigator. We have submitted detailed written testi- 
mony for the record today. I just want to highlight some of the 
points we make in this written testimony, and I look forward to 
your questions afterward. 

As you are well aware, today the SSN plays an unparalleled role 
in identification, authentication and tracking of Americans. Its use 
in the public and private sector heightens the risk of identity theft 
and abuse because institutions use the SSN both to identify people 
but also to authenticate them. So, Representative Tubbs Jones was 
bringing up this issue earlier, the same number you use to identify 
a credit file is often used to authenticate or to verify the identity 
of someone; and from a security standpoint, that is a major risk. 
It is not unlike choosing an e-mail address and using your e-mail 
address as the password, the exact same series of letters. 

The other issue I wanted to highlight from our testimony is the 
role that public records play in providing personal information to 
commercial data brokers and to others who are amassing personal 
information about individuals. Oftentimes we are compelled by law 
or compelled from wanting to enjoy the rights and benefits of our 
society into providing personal information that ends up in a public 
register; and once your SSN or other information ends up in a mar- 
riage license or a land record, anyone can come along and use that 
personal information for any purpose. So, we do think that it is im- 
portant in your legislation to include strong language keeping the 
SSN, and keeping certain personal identifiers out of public records 
before they reach the general public. 

There are several parts of H.R. 2971 that we think are very 
strong, and they belong in any SSN privacy bill. The first is the 
provision on coercive disclosure. We think it is very important that 
businesses not be able to withhold a product or service when they 
ask for a SSN without authority to do so, and I think that your leg- 
islation is well crafted in section 109 because businesses that actu- 
ally have a legal right to the identifier will still be able to request 
the SSN. We think it is very important that Section 108 be in- 
cluded in any legislation that moves to the full House, section 108 
would move the SSN below the credit header line and require indi- 
viduals who are trying to buy SSNs to have a permissible purpose 
under the Fair Credit Reporting Act before getting access to the 
identifier. I think that is a very important protection, and we com- 
mend you for including it in the legislation. 

Finally, we think it is very important that States be discouraged 
from placing the SSN on drivers’ licenses and other identifiers pro- 
vided to individuals. We would recommend one enhancement to the 
legislation in this regard. We have become aware that some States 
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do not put the SSN on the actual card. They don’t publish it on the 
card, but they embed it into the bar code or into the magnetic strip, 
and then businesses or other individuals can swipe the driver’s li- 
cense and collect the SSN from individuals. I think it is important 
that prohibitions recognize the risk of automated data collection 
from drivers’ licenses and how SSNs might be swept in that equa- 
tion. 

We also encourage you to look to the leadership of the States in 
developing SSN legislation. A number of States have passed very 
strong regulations that deal with use of SSN in the private sector, 
the use of the SSN in the context of colleges and universities and 
with regards to course of disclosure; and their leadership should be 
emulated at the Federal level. 

As I am running out of time, let me highlight what Ms. Foss said 
earlier about the role of credit granting and identity theft. In our 
written testimony we have given numerous examples of cases 
where victims had their identities stolen and it would not have oc- 
curred but for the presence of the SSN. The identity thief filled out 
an application to get credit. Oftentimes, the date of birth was 
wrong, the name was wrong, address was wrong. The SSN was 
right, and so the SSN was a key to identity theft in all of those 
cases, and it sounds as though those cases are similar to yours, Ms. 
Foss. So, we encourage an examination of credit granting practices 
as well, it appears as though they are contributing to the identity 
theft problem. Thank you, Mr. Chairman. I look forward to your 
questions. 

[The prepared statement of Mr. Hoofnagle follows:] 

Statement of Chris Jay Hoofnagle, Associate Director, Electronic Privacy 

Information Center 


Introduction 

Chairman Shaw, Ranking Member Matsui, and Members of the Subcommittee, 
thank you for extending the opportunity to testify enhancing the privacy and integ- 
rity of Social Security Numbers. 

My name is Chris Hoofnagle and I am associate director with the Electronic Pri- 
vacy Information Center (EPIC), a not-for-profit research organization based in 
Washington, D.C. Founded in 1994, EPIC has participated in cases involving the 
privacy of the Social Security Number (SSN) before federal courts and, most re- 
cently, before the Supreme Court of New Hampshire. 1 EPIC has also taken a lead- 
ing role in campaigns against the use of globally unique identifiers (GUIDs) involv- 
ing the Intel Processor Serial Number and the Microsoft Corporation’s Passport 
identification and authentication system. EPIC maintains an archive of information 
about the SSN online at http://www.epic.org/privacy/ssn/. 

In previous testimony to this Subcommittee, EPIC has recommended a strong 
framework of Fair Information Practices to create rights and responsibilities for in- 
dividuals and collectors of the SSN. In 2001, EPIC Executive Director Marc 
Rotenberg traced the history of the SSN as an identifier, highlighted the use of the 
SSN in the financial services sector, and raised privacy issues associated with the 
Social Security Administration’s Death Master File. 2 In 2002, EPIC testified that 
the problem of identity theft had grown worse, that the states were acting to limit 
collection and disclosure of the SSN, and that 107 H.R. 2036, the Social Security 


1 Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00— 211— B (N.H. 2002). In Remsburg, 
the “Amy Boyer” case, Liam Youens was able to locate and eventually murder Amy Boyer 
through hiring private investigators who tracked her by her date of birth, Social Security Num- 
ber, and by pretexting. EPIC maintains information about the Amy Boyer case online at http:// 
www.epic.org/privacy/boyer/. 

2 Social Security Numbers and Identity Theft, Joint Hearing Before the House Financial Serv- 
ices Subcommittee on Oversight and Investigations and the House Ways and Means Sub- 
committee on Social Security, Nov. 8, 2001 (testimony of Marc Rotenberg, Executive Director, 
EPIC), available at http://www.epic.org/privacy/ssn/testimony_ll_08_2001.html. 
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Number Privacy and Identity Theft Protection Act of 2001 could limit misuse of the 
SSN. 3 In 2003, EPIC appeared again to testify in favor of privacy protections, high- 
lighting recent abuses, the continuing unnecessary use of the SSN as an identifier 
by both private and public sector entities, and the developing trends of state legisla- 
tion crafted to limit collection and use of the identifier. 4 

Chairman Shaw, we commend you for developing a rich legislative record on the 
need to protect the SSN and to combat identity theft. In today’s testimony, we wish 
to continue to contribute to the record and make a recommendation that you ad- 
vance legislation to secure the SSN and protect Americans from identity theft. First, 
we provide an overview and recommendations for 108 H.R. 2971, the Social Security 
Number Privacy and Identity Theft Prevention Act of 2003. Second, we highlight ex- 
amples of state SSN regulation that could be adopted at the federal level to provide 
an umbrella of protections for the SSN. In the third section, we argue that identity 
theft is caused by excessive reliance on the SSN and by lax credit granting prac- 
tices. 

I. Recommendations for 108 H.R. 2971, the Social Security Number Privacy 
and Identity Theft Prevention Act of 2003 

Introduced in July 2003, H.R. 2971 is the latest of a series of bills designed to 
enhance protections for the SSN and to promote the integrity of the identifier. It 
enjoys bipartisan support in the House of Representatives. 

Title I of the bill sets forth limitations on government disclosure of SSNs. Broadly 
put, this title would prohibit executive, legislative, or judicial entities from dis- 
closing the SSN, subject to certain exceptions. 

We think it important to limit the exceptions for governmental sale of the SSN. 
Specifically, we recommend that subsection (V), which allows unlimited sale of SSNs 
to thousands of credit reporting agencies (CRAs), be removed from the bill. This ex- 
ception is too broad and allows unrestricted transfers of government records con- 
taining social security numbers to CRAs, possibly for purposes unrelated to credit 
reporting, including direct marketing. 

It is not the role of government to collect SSNs from citizens, who are often under 
legal compulsion to provide the identifier, and then release the SSNs to the private 
sector for the purpose of compiling dossiers. Professor Daniel Solove has fully articu- 
lated how this model of information flow is unfair to individuals and privacy 
invasive: 

Imagine that the government had the power to compel individuals to reveal 
a vast amount of personal information about themselves — where they live, their 
phone numbers, their physical description, their photograph, their age, their 
medical problems, all of their legal transgressions throughout their lifetimes 
whether serious crimes or minor infractions, the names of their parents, chil- 
dren, and spouses, their political party affiliations, where they work and what 
they do, the property that they own and its value, and sometimes even their 
psychotherapists’ notes, doctors’ records, and financial information. 

Then imagine that the government routinely poured this information into the 
public domain — by posting it on the Internet where it could be accessed from 
all over the world, by giving it away to any individual or company that asked 
for it, or even by providing entire databases of personal information upon re- 
quest. In an increasingly “wired” society, with technology such as sophisticated 
computers to store, transfer, search, and sort through all this information, 
imagine the way that the information could be combined or used to obtain even 
more personal information. 5 

If this exception remains in the legislation, we recommend that it be narrowed. 
Currently, the exception allows disclosure of the SSN to CRAs without any limita- 
tion on use of the identifier. A narrower exception would allow disclosure but limit 
use of the identifier for “credit reporting practices consistent with the Fair Credit 
Reporting Act, 15 U.S.C. 1681.” 


3 Hearing on Preserving the Integrity of Social Security Numbers and Preventing Their Misuse 
by Terrorists and Identity Thieves, Joint Hearing Before the House Ways and Means Sub- 
committee on Social Security and the House Judiciary Subcommittee on Immigration, Border Se- 
curity, and Claims, Sept. 19, 2002 {testimony of Chris Jay Hoofnagle, Legislative Counsel, 
EPIC), available at http://www.epic.org/privacy/ssn/ssntestimony9.19.02.html. 

4 Hearing on Use and Misuse of the Social Security Number, Hearing Before the House Ways 
and Means Subcommittee on Social Security, July 10, 2003 (testimony of Chris Jay Hoofnagle, 
Deputy Counsel, EPIC), available at http://www.epic.org/privacy/ssn/testimony7.10.03.html. 

5 Professor Daniel Solove describes this problem in Access and Aggregation: Public Records, 
Privacy, and the Constitution, 86 Minnesota Law Review 1137 (2002), available at http://pa- 
pers. ssrn.com/sol3/papers. cfm?abstract_id=283924. 
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In section 101, we recommend harmonizing the definition of “sale” with other ref- 
erences to the term that appear in the legislation. The definition appearing in sec- 
tion 107, which defines sell as “to obtain, directly or indirectly, anything of value 
in exchange for such number,” is more appropriate. 

Section 102 specifies the authority of the Attorney General to create exemptions 
to the general prohibition on government disclosure of the SSN. We agree with the 
standard set forth by the legislation — that SSNs should not be disclosed absent a 
compelling interest that cannot be served through the employment of alternative 
measures. We are concerned, however, that the Attorney General will still approve 
of privacy-invasive transfers of the SSN despite this high standard. In documents 
obtained under the Freedom of Information Act, EPIC has shown that private-sector 
commercial data brokers (CDBs) play a large role in collecting SSNs and other infor- 
mation for sale to law enforcement. 6 Simply put, there is a risk that the Attorney 
General will act in self-interest, and approve broad disclosures of SSNs to CDBs 
that then resell the identifier back to law enforcement or other entities. 

We recommend several substantive safeguards against permissive regulations 
that would allow broad disclosure of the SSN. First, the rulemaking should be open 
to public comment. Public polling shows that individuals are concerned about in- 
creasing use of the SSN; allowing public comment will effectively express popular 
opposition to expanding use of the identifier. 

Second, we think that the qualifier “undue” should be removed from the standard 
articulated in Section 101 (a)(I)(ii)(II), and that identity theft be added as one of the 
risks to be considered by the rulemakers. As currently drafted with “undue” as a 
qualifier and without the special recognition of identity theft as a risk of SSN disclo- 
sure, the language will tilt the balance in favor of expanding disclosure of the SSN. 
A more appropriate balance would be struck with language specifying, “it is reason- 
ably certain that the social security numbers will not be used to commit or facilitate 
fraud, identity theft, or bodily, emotional, or financial harm.” 

Third, we think that exceptions to the general prohibition should be limited in du- 
ration. A time limit will encourage users of the SSN to transition to alternative 
identifiers. Exceptions that are not time limited will ensure that SSN users never 
transition to alternative measures. 

Last, entities receiving SSNs should be held to technical safeguards to shield the 
identifier from employee misuse or theft. We recommend that the following factor 
be added to the rulemaking: “(III) the social security numbers sold, purchased or 
displayed will be protected by adequate safeguards, including but not limited to 
encryption measures and regular auditing of SSN access and disclosure.” 

Section 103 would codify an important safeguard — a prohibition of printing SSNs 
on checks issued by governments. This is a common sense protection against iden- 
tity theft. It is necessary because a standard check with a SSN contains all the per- 
sonal information necessary for commission of identity theft. 

Section 104 would prohibit states from displaying the SSN on driver’s licenses. 
Again, this is a common sense approach to preventing identity theft. Indeed, many 
states already incorporate a ban on printing the SSN on driver’s licenses. 7 Such a 
prohibition makes it more likely that the SSN will not appear in the wallet of indi- 
viduals, thus reducing the risk that a lost or stolen wallet will provide the personal 
information necessary to commit identity theft. 

We recommend that section 104 also prohibit states from encoding the SSN on 
magnetic strips, barcodes, or smartcards on the driver’s license, as we are aware 
that while some states do not print the SSN on the card, they may embed the iden- 
tifier digitally on the card. 8 Anyone with a card reader can swipe the card and cap- 
ture the identifier. Increasingly, businesses are capturing patrons’ personal data 


6 See e.g. Electronic Privacy Information Center, ChoicePoint, available at http://epic.org/pri- 
vacy/choicepoint/; Chris Jay Hoofnagle, Big Brother’s Little Helpers: How ChoicePoint and Other 
Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement, Uni- 
versity of North Carolina Journal of International Law & Commercial Regulation (Spring 2004). 

7 See Ariz. Rev. Stat. §28-3158; C.R.S. §42-2-107; C.R.S. §42-3-302; D.C. Code Ann. §50- 
402; O.C.G.A. §40-3-23; HRS §286-109; HRS §286-239; Idaho Code §49-306; Idaho Code §49- 
2444; Ky. Rev. Stat. Ann. § 186.412; Mont. Code Ann. § 61— 5-lll(2)(b); Nev. Rev. Stat. Ann. 
§483.345;.N.H. Rev. Stat. Ann. §263:40— a; N.D. Cent. Code 39-06—14; Ohio Rev. Code Ann. 
§4501.31; Okla. Stat. Ann. tit. 47, §6-106 (2002); Pa. Cons. Stat. Ann. §1510; Tenn Code Ann. 
§55-50-331; Tex. Trans. §521.044; Va. Code Ann. §46.2—342; Wash. Rev. Code Ann. 
§26.23.150. 

8 Beatriz da Costa, Jamie Schulte and Brooke Singer, Who is Swiping ?, n.d., available at 
http://www.we-swipe.us/research.html. 
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from driver’s licenses. 9 Removing the SSN from encoded portions of driver’s licenses 
will cut down on unnecessary collection of the identifier. 10 

Section 106 would prohibit government entities from allowing prisoners to have 
access to the SSN. We think that this too is a common sense protection, in light 
of the Metromail case, where a company employed prisoners to enter personal infor- 
mation from surveys into computers. This resulted in a stalking case where a pris- 
oner harassed a woman based on information she submitted on a survey. The 
woman received mail from a convicted rapist and burglar who knew everything 
about her — including her preferences for bath soap and magazines. The woman sued 
and as a result of a class-action suit, Metromail may no longer use prisoners to proc- 
ess personal information. 11 Nevertheless, a general prohibition on inmate access to 
SSNs is appropriate, and California and Kentucky already have passed legislation 
to keep SSNs out of the hands of prisoners. 12 

Section 107 generally prohibits disclosure of the SSN in the private sector, subject 
to exceptions. We think it important to limit exceptions to the general prohibition 
in order to curb private sector use of the SSN. First, the exception for public health 
purposes should be limited to “emergency public health purposes.” In its current ar- 
ticulation, this exception could allow medical providers and insurance companies to 
continue to rely upon the SSN in normal operations. Limiting the exception will en- 
courage the industry to shift away from the identifier. We note that Empire Blue 
Cross is transitioning its 4.8 million customers away from the SSN as an identifier, 
demonstrating that it is possible for large health care operations to use an alter- 
native identifier. 13 

Section 107 contains an exception for SSNs of the deceased, meaning that they 
could be freely traded on the market. We think there are important public policy 
reasons to place some protections on SSNs of the deceased. SSNs of deceased indi- 
viduals should receive protection for the same reasons that justify protections for 
living individuals; those reasons include preventing fraud and identity theft. Addi- 
tionally, criminals are known to assume the identities of deceased individuals in 
order to engage in criminal acts and to avoid law enforcement. Some protection for 
these identifiers is justified. 

Section 108 codifies a much-needed protection for the SSN. Prior to the implemen- 
tation of the Gramm-Leach-Bliley Act, CRAs and other entities sold SSNs in credit 
headers to individuals outside Fair Credit Reporting Act regulation. We understand 
that some businesses are still selling SSNs from credit headers that were collected 
before implementation of Gramm-Leach-Bliley. Section 108 would eliminate this un- 
regulated sale of SSNs by tying the identifier to the credit report, and thus to pro- 
tections in the F air Credit Reporting Act. 

Section 109 contains important protections against the practice of “coercive disclo- 
sure,” a practice where an entity conditions provision of a product or service based 
on disclosure of the SSN. Maine, New Mexico, and Rhode Island have established 
protections against coercive disclosure, and we think it a good idea to federalize this 
important right to enhance privacy of the SSN. 14 

Title II contains measures to help protect the integrity of the SSN. Section 202, 
which addresses enumeration at birth, provides an excellent opportunity to address 
objections to SSN issuance to children that many Americans posses based on polit- 
ical or religious beliefs. In Bowen v. Roy, 476 U.S. 693 (1986), better known as the 
“Little Bird of the Snow” case, a family that applied for child welfare benefits sued 
the Department of Health and Human Services for requiring that a SSN be issued 
to their indigent child. The family alleged that enumeration violated their religious 
beliefs and that the conditioning of benefits on issuance of the SSN violated the 
Free Exercise Clause. The Supreme Court disagreed, holding that the government 
could require the child to obtain a SSN in order to receive benefits. 


9 See e.g. Jennifer 8. Lee, Finding Pay Dirt in Scannable Driver’s Licenses, New York Times, 
March 21, 2002. 

10 Louisiana has already prohibited embedding the SSN into a driver’s license. La. R.S. 
§32:410. West Virginia has attempted to address this problem of license swiping by allowing 
the use of license scanners for age verification purposes but prohibiting the recording of SSNs 
in the process. W. Va. Code Ann. § 60-2-22. 

11 During litigation, Metromail claimed that they had not violated the woman’s privacy, that 
they had no duty to inform individuals that prisoners were processing their personal data, and 
that the data processed was not highly intimate or embarrassing. Beverly Dennis, et al. v. 
Metromail, et al.. No. 96-04451, Travis County, Texas. 

12 Cal Pen Code §4017.1, §5071; Cal Wei & Inst Code §219.5; Ky. Rev. Stat. Ann. §131.191. 

13 Empire Blue Cross Will End Use Of SSNs, Use Alternate Number System, Privacy and Secu- 
rity Law Report (Jun. 7, 2004) at 666. 

14 2003 Me. ALS 512; N.M. Stat. Ann. §57-12B-3; R.I. Gen Laws §6-13-17. 
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In that case, the trial court found that the government could, in fact, administer 
child welfare programs without enumeration. This bill allows Congress to revisit the 
issue and provide an alternative for those having a religious or ethical objection to 
permanent enumeration. Alternatives could include a tax-identification number that 
expires at the age of eighteen, when the child can more fully consider whether to 
obtain a SSN. Another could specify heightened security requirements or anti-fraud 
measures to administer benefits to those objecting to enumeration. The study to be 
performed by the Commissioner of Social Security should require consideration of 
these issues. 

Title III of the legislation creates new criminal penalties for misuse of the SSN. 
Section 302 prohibits individuals from knowingly providing a false SSN to another 
person. We think that there should be an exception to this rule for cases where an 
individual provides a false SSN without any intent to commit fraud. For instance, 
in situations where an entity demands a SSN without justification, individuals 
should be able to fabricate one if they are not engaged in fraud and are simply at- 
tempting to protect their privacy. We think the following language should be added 
to Section 302 (in the provision amending Section 1129(a) of the Social Security Act 
to create a new provision at 1129(a)(3)(B)): “Notwithstanding the previous sentence, 
an individual is permitted to represent a number to be the social security number 
assigned by the Commissioner of Social Security to another so long as the individual 
does not do so with the intent to engage in fraud or other criminal activity.” 

II. States Have Innovated Clever Protections for the SSN; Congress Should 
Consider Incorporating Them in 108 H.R. 2971 

In recent years, state legislatures have functioned in their traditional roles as 
“laboratories of democracy,” creating new approaches to enhancing the privacy of 
SSNs. These privacy protections demonstrate that major government and private- 
sector entities can still operate in environments where disclosure and use of the 
SSN is limited. They also provide examples of protections that should be considered 
at the federal level. 

Some States Have Placed Broad Prohibitions on Disclosure and Use by Government 
and Private Entities 

Two weeks ago, Colorado Governor Bill Owens signed H.B. 1311, legislation that 
creates important new protections for the SSN that will take effect later this sum- 
mer. The new law will limit the collection of the SSN and its incorporation in li- 
censes, permits, passes, or certificates issued by the state. The law requires the es- 
tablishment of policies for safe destruction of documents containing the SSN. Insur- 
ance companies operating in the state must remove the SSN from consumers’ identi- 
fication cards. Finally, the legislation creates new penalties for individuals who use 
others’ personal information to injure or defraud another person. 

A law taking effect in January 2005 in Arizona prohibits the disclosure of the 
SSN to the general public, the printing of the identifier on government and private- 
sector identification cards, and establishes technical protection requirements for on- 
line transmission of SSNs. 15 The new law also prohibits printing the SSN on mate- 
rials mailed to residents of Arizona. Exceptions to the new protections are limited — 
companies that wish to continue to use the SSN must do so continuously, must dis- 
close the use of the SSN annually to consumers, and must afford consumers a right 
to opt-out of continued employment of the SSN. Arizona’s new law is based on Cali- 
fornia Civil Code § 1798.85. 

Special Protections Have Been Crafted for Students 

A number of states have passed legislation limiting colleges and universities from 
employing the SSN as a student identifier. Limiting use of the SSN in this context 
reduces the risk of identity theft, as databases of student information, student iden- 
tity cards, and even posting of grades sometimes contain SSNs. 

In Arizona, major universities can no longer use the SSN as the student identi- 
fier. 16 In Colorado, as of July 2003, public and private postsecondary institutions 
were required to establish protections for the SSN and discontinue its use as the 
primary student identifier. 17 New York and West Virginia prohibit all public and 
private schools from using the SSN as a primary identifier. 18 Kentucky law allows 
students to opt-out of use of the SSN as student identifier. 19 


15 Ariz. Rev. Stat. §44-1373. 

16 Ariz. Rev. Stat. §15-1823. Rhode Island and Wisconsin have similar protections. R.I. Gen. 
Laws § 16-38-5.1; Wis. Stat. Ann. §36.11(35). 

17 C.R.S. §23-5-127. 

18 N.Y. Educ. Law §2-b; W. Va. Code Ann. § 18-2-5f. 

19 Ky. Rev. Stat. Ann.156.160. See also Ky. Rev. Stat. Ann. 197. 120. 



75 


Protections Crafted for Public, Vital, and Death Records 

Commercial data brokers obtain SSNs from a number of sources, including public 
records that individuals are required to file in order to enjoy important rights and 
privileges offered by society. For instance, marriage licenses have been a source for 
SSNs and a number of states, including Arizona, California, Indiana, Iowa, Ken- 
tucky, Louisiana, Maine, Montana, Ohio, and Michigan, have enacted legislative 
protections to prevent their disclosure . 20 

Birth and death records are rich in personal information, and states have acted 
to shield SSNs collected in these life events against disclosures. Arizona, California, 
Illinois, Kansas, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, 
New Hampshire, and other states limit the appearance of the parents’ SSN on birth 
records . 21 Similarly, several states restrict disclosure of the SSN in records associ- 
ated with death . 22 

Protections Against Pretexting Should Be Considered 

We wish to raise one additional concern here — even legitimate collection of the 
SSN contributes to unauthorized access to the identifier. That is, we are increas- 
ingly aware of manuals for private investigators and other materials suggesting that 
SSNs can be obtained from motor vehicle departments, applications for professional 
licenses, and even tax returns . 23 In these cases, the investigator probably obtains 
the identifier through a friend or contact working at the institution with a SSN. Al- 
ternatively, the manuals suggest the use of “pretexting,” a practice where an inves- 
tigator requests personal information from an entity while pretending to be another 
person or while pretending to have a legitimate reason for access to the information. 
The Gramm-Leach-Bliley Act prohibits pretexting with respect to financial, securi- 
ties, and insurance companies, but the law doesn’t apply to pretexting targeted at 
employers, utility companies, or other entities that have SSNs. The Subcommittee 
should consider whether expanding protections against pretexting would enhance 
the privacy of the SSN. 

III. Excessive Reliance on the Social Security Number and Lax Credit 
Granting Practices Are Exacerbating the Identity Theft Problem 

News media stories abound on the plight of the victim of identity theft. No one 
is safe from the crime — impostors have been able to obtain credit in the names of 
young children and even babies . 24 While Congress has heightened penalties for 
identity theft, we recommend that further attempts to fight the crime be centered 
on the credit granting process, and in particular, the practice of granting credit only 
on a SSN match. 

Identity thieves can rely on aspects of the instant credit granting system to com- 
mit fraud. The first weakness in the system flows from extreme competition to ac- 
quire new customers. This has resulted in grantors flooding the market with “pre- 
screened” credit offers, pre-approved solicitations of credit made to individuals who 
meet certain criteria. These offers are sent in the mail, giving thieves the oppor- 
tunity to intercept them and accept credit in the victim’s name . 25 Once credit is 
granted, the thief changes the address on the account in order to obtain the physical 
card and to prevent the victim from learning of the fraud . 26 The industry sends out 


20 Ariz. Rev. Stat. §25—121; Cal Fam Code §2024.5; Burns Ind. Code Ann. §31-11-4-4; Iowa 
Code §595.4; Ky. Rev. Stat. Ann. 402.100; La. R.S. 9:224; 19-A M.R.S. §651; MCL §333.2813; 
Mont. Code Ann. §40-1—107; Ohio Rev. Code Ann. §3101.05. 

21 See Ariz. Rev. Stat. §36-322; Cal Health & Saf Code §102425; 410 ILCS 535/11; K.S.A. 
§65-2409a; 22 M.R.S. §2761; Md. Ann. Code §4-208; ALM GL ch. Ill, §24B; Minn. Stat. 
§144.215; Miss. Code Ann. §41-57-14; Mo. Rev. Stat. §193.075; Mo. Rev. Stat. §454.440; N.H. 
Rev. Stat. Ann. §5— C:10. 

22 See Ariz. Rev. Stat. § 16-165; Cal Health & Saf Code § 102231; Idaho Code §67-3007; Burns 
Ind. Code Ann. § 16-37-3-9; La R.S. §23:1671; N.D. Cent. Code §23-02.1-28. 

23 See e.g. Lee Lapin, How to Get Anything on Anybody 533-543 (Intelligence Here, 3d ed. 
2003) (section titled “How to Find Anyone’s Social Security Number” suggests thirty sources for 
the SSN, including driver’s license applications, bankruptcy filings, court records, bank files, 
utility records, professional and recreational licenses, and employment files). 

24 24]Identity Theft Resource Center, Fact Sheet 120: Identity Theft and Children, available 
at http://www.idtheftcenter.org/vgl20.shtml. 

25 Identity crises — millions of Americans paying price, Chi. Tribune, Sept. 11, 2003, p2. 

26 Id. 
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billions of these pre-screened offers a year. It 1998, it was reported that 3.4 billion 
were sent. 27 In 2003, the estimate increased to 5 billion sent. 28 

Competition also drives grantors to quickly extend credit. Once a consumer (or im- 
postor) expresses acceptance of a credit offer, issuers approve the transaction with 
great speed. Experian, one of the “big three” credit reporting agencies, performs in 
this task in a “magic two seconds.” 29 In a scenario published in an Experian white 
paper on “Customer Data Integration,” an individual receives a line of credit in two 
seconds after only supplying his name and address. 30 Such a quick response height- 
ens the damage to business and victims alike, because thieves will generally make 
many applications for new credit in hopes that a fraction of them will be granted. 

The second factor that makes identity theft easy to commit is that credit grantors 
do not have adequate standards for verifying the true identity of credit applicants. 
Credit issuers sometimes open tradelines to individuals who leave obvious errors on 
the application, such as incorrect dates of birth or even the incorrect name. Identity 
theft expert Beth Givens has argued that many incidences of identity theft could 
be prevented by simply requiring grantors to more carefully review credit applica- 
tions for obviously incorrect personal information. 31 

TRW Inc. v. Andrews illustrates the problems with poor standards for customer 
identification. 32 In that case, Adelaide Andrews visited a doctor’s office in Santa 
Monica, California, and completed a new patient’s information form that requested 
her name, birth date, and SSN. 33 The doctor’s receptionist, an unrelated woman 
named Andrea Andrews, copied the information and used Adelaide’s Social Security 
Number and her own name to apply for credit in Las Vegas, Nevada. On four occa- 
sions, Trans Union released Adelaide’s credit report because the SSN, last name, 
and first initial matched. Once Trans Union released the credit reports, it made it 
possible for creditors to issue new tradelines. Three of the four creditors that ob- 
tained a credit report issued tradelines to the impostor based on Adelaide’s file, de- 
spite the fact that the first name, birth date, and address did not match. 34 

A survey of other prominent identity theft litigation shows numerous cases where 
credit was granted as a result of a SSN match despite other obvious inaccuracies. 
For instance, in Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997), Fleet Bank 
of Albany, New York, issued two credit cards to “Ronald Aylward,” allegedly of East 
Moriches, New York, who used both the victim’s name and SSN in applying for the 
cards. The victim, however, lived in Missouri all of his life. 

In United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003), impostors obtained 
American Express cards using the victims’ correct names and SSNs but directed all 
the cards to be sent to the impostors’ home. In Vazquez-Garcia v. Trans Union De 
P.R., Inc., 222 F. Supp. 2d 150 (D. P.R. 2002), a resident of Puerto Rico who was 
born in 1962 learned that Sears had issued a credit card to a resident of Nevada 
who was born in 1960. The impostor had falsely used the victim’s SSN to apply for 
credit cards in his own name and succeeded in getting credit despite the mismatch 
on age and location. In Dimezza v. First USA Bank, Inc., 103 F. Supp. 2d 1296 (D. 
N.M. 2000), an impostor obtained credit using the victim’s SSN but a different name 
and address. 

And finally, those who attempt to assign liability for negligent credit granting 
have not been successful in the courts. In Huggins v. Citibank, 355 S.C. 329 (S.C. 
2003), a plaintiff-victim alleged that banks should be liable when they negligently 


27 Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions, Hearing 
Before the Senate Judiciary Subcommittee on Technology, Terrorism, and Government Informa- 
tion, Jul. 12, 2000 (testimony of Beth Givens, Director, Privacy Rights Clearinghouse) (citing Ed- 
mund Sanders, Charges are flying over credit card pitches, L.A. Times, Jun. 15, 1999, p. D-l), 
available at http://www.privacyrights.org/ar/id theft.htm. 

28 Rob Reuteman, Statistics Sum Up Our Past, Augur Our Future, Rocky Mountain News, 
Sept. 27, 2003, p 2C; Robert O’Harrow, Identity Crisis; Meet Michael Berry: political activist, 
cancer survivor, creditor’s dream. Meet Michael Berry: scam artist, killer, the real Michael Berry’s 
worst nightmare, Wash. Post Mag., Aug. 10, 2003, p W14. 

29 Experian, Inc., Customer Data Integration: The essential link for Customer Relationship 
Management White paper 15, 2000, available at http://www.experian.com/whitepapers/ 
cdi white paper.pdf. 
as Id. 

31 Legislative Hearing on H.R. 2622, The Fair and Accurate Credit Transactions Act of 2003, 
Before the Committee on Financial Services, Jul. 9, 2003 (testimony of Chris Jay Hoofnagle, Dep- 
uty Counsel, Electronic Privacy Information Center). 

32 534 U.S. 19 (2001); Erin Shoudt, Comment. Identity theft: victims “ cry out” for reform, 52 
Am. U. L. Rev. 339, 346-7 (2002). 

33 Id. at 23-25. 

3i Id. 
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extend credit in a victim’s name to an impostor. 35 The defendants argued that no 
duty existed because the victim was not actually a customer of the bank. In August 
2003, the South Carolina Supreme Court rejected the proposed cause of action. Al- 
though it expressed concern about the rampant growth of identity theft, the court 
found that the relationship between credit card issuers and potential victims of 
identity theft was “far too attenuated to rise to the level of a duty between them.” 

These cases show that excessive reliance on the SSN can contribute to identity 
theft. California has attempted to address this problem by requiring certain credit 
grantors to comply with heightened authentication procedures. California Civil Code 
§1785.14 requires credit grantors to actually match identifying information on the 
credit application to the report held at the credit reporting agency. Credit cannot 
be granted unless three identifiers from the application match those on file at the 
credit bureau. The categories to be matched include “first and last name, month and 
date of birth, driver’s license number, place of employment, current residence ad- 
dress, previous residence address, or social security number.” 36 Simply requiring 
credit grantors to look beyond the SSN as a customer identifier and authenticator 
will begin to address a wide range of identity theft. 

Conclusion 

Thank you, Chairman Shaw, for continuing to develop a rich legislative record 
supporting greater privacy for the SSN. We think that the privacy and integrity of 
SSNs could be enhanced through the passage of federal legislation that limits the 
collection and approved uses of the identifier. We urge the Subcommittee to examine 
state laws that have created new, clever protections for the SSN. We also urge the 
Subcommittee to consider that excessive reliance on the SSN contributes to identity 
theft. We look forward to continuing to work with the Subcommittee on this and 
other privacy matters. 


Chairman SHAW. Thank you. Mr. McGuinness. 

STATEMENT OF BRIAN P. MCGUINNESS, FIRST VICE PRESI- 
DENT, NATIONAL COUNCIL OF INVESTIGATION AND SECU- 
RITY SERVICES, MIAMI, FLORIDA 

Mr. MCGUINNESS. Good afternoon, Mr. Chairman, Members of 
the Committee, wherever you may be. My name is Brian 
McGuinness. I am appearing today on behalf of the NCISS as its 
first Vice President. I am past President of the Florida Association 
of Licensed Investigators, and I have been a licensed investigator 
for over 20 years. Before that, I was a criminal investigator for 7 
years with the Miami Dade County Public Defenders Office. I real- 
ly appreciate the opportunity to comment on H.R. 2971 today. Our 
profession has been trying to help identity theft victims for years. 

Much of H.R. 2971 seems to be on the right track. Publication 
of SSNs to the general public can only lead to improper use, includ- 
ing theft, fraud, even potential physical harm. We support legisla- 
tion that will curtail such information being offered for sale over 
the Internet to the general public, but we are very concerned about 
sections 107 and 108, which will in fact hinder relief for victims 
and cause many unintended consequences. 

A number of years ago, the FTC entered into a consent agree- 
ment whereby the identifying information that precedes a credit re- 
port was deemed not part of the report and therefore not covered 
by the Fair Credit Reporting Act. The “header” information does 
not contain any financial data and has been an invaluable resource 


35 See also Garay v. U.S. Bancorp, 2004 U.S. Dist. LEXIS 1331 (E.D.N.Y. 2004); Smith v. 
Citibank, 2001 U.S. Dist. LEXIS 25047, (W.D. Mo. 2001); Polzer v. TRW, Inc., 256 A.D.2d 248 
(N.Y. App. Div. 1998). 

36 Id. 
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to employ in all manner of investigations. Header information is 
only available through vetted contracts with major credit bureaus 
by legitimate businesses and law enforcement agencies. We are un- 
aware that credit headers are being used by identity thieves. The 
crooks know where their victims are. They don’t need to locate 
them. 

Section 108 would deal a blow to both the civil and criminal jus- 
tice systems by effectively eliminating the access to credit header 
information for the purpose of locating suspects and witnesses. Lo- 
cating females after a marriage or a divorce is particularly difficult 
without using the SSN identifier. There are over 43,000 Robert 
Joneses in the United States. Many of them have the same or simi- 
lar dates of birth. Investigators need to be able to positively dif- 
ferentiate between subjects when rendering reports that would be 
used for many purposes, including evidence in court proceedings. 

Law enforcement agencies have many means at their disposal 
and are generally exempt from legislation restricting access to in- 
formation, but even law enforcement Members admit that restrict- 
ing access to credit headers will tip the scales of justice in favor 
of the prosecution and will decrease the defendant’s ability to re- 
ceive a fair trial. At a time when our justice system is being criti- 
cized for errors proven by DNA evidence, we find it hard to believe 
that Congress would attempt to take away the defendants primary 
means of locating witnesses. 

Let me tell you all of an example from my own experience at- 
tempting to assist a domestic maid whose son had been kidnapped 
by her husband 5 years previously. In her 5-year search she had 
mounted a letter-writing campaign which yielded a 2-inch stack of 
letters similar to yours, Ms. Foss, from apathetic police officers and 
politicians expressing their regret but providing no real assistance. 
I entered her husband’s SSN in a database and learned about a 
West Palm Beach address he had used when applying for credit. 
I checked directory assistance and confirmed there was a non-pub- 
lished telephone number in his name at that address. A 5-year 
journey of desperation, anguish and frustration was ended in 5 
minutes by simply having access to header information. 

A New York investigator was retained by the courts in a guard- 
ianship proceeding to recover over $300,000 in assets stolen from 
a 97-year-old retiree by a neighborhood care giver. Using credit 
headers he determined identities and locations of the wrongdoer’s 
relatives and eventually their assets that had been taken away 
from the victim. The victim’s assets had been used to purchase real 
property, expensive automobiles and to increase the thief s bank ac- 
count balances. The suspect pled guilty and was sentenced to 3 to 
9 years in State prison for second degree grand larceny and or- 
dered to pay $360,000 in restitution to the victim’s estate. 

With few exceptions, law enforcement does not have the re- 
sources to assist identity theft victims. As pointed out in my prior 
written testimony, victims are often told their losses are below the 
threshold required before agencies will investigate. In fact, many 
victim turn to licensed private investigators for assistance. We, 
therefore, ask that all of Section 108 be deleted. We routinely pro- 
vide our clients with documents and reports containing necessary 
identifying information, section 107 would effectively deny us the 
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ability to obtain or provide our clients with such information. There 
is an exemption for law enforcement and collection of child support, 
but the exemption should also include reports prepared in connec- 
tion with litigation, service of process, due diligence investigation 
of insurance claims, civil and criminal fraud, criminal defense, 
identity fraud and stalking or any other violations of law. 

Although H.R. 2971 provides the Attorney General with the abil- 
ity, I am sorry, with the authority, rather, to provide additional ex- 
emptions, we believe it is critical for Congress to spell them out in 
advance. The bill as introduced would have a substantially delete- 
rious impact on the court system and individual victims of crime. 
Such major issues should be resolved by elected officials and not 
delegated to the Department of Justice. Congress should proceed 
very carefully. Taking away the tools from investigators serving the 
justice system is not the way to go about resolving identity theft. 
I would be pleased to answer any questions that you may have. 

[The prepared statement of Mr. McGuinness follows:] 

Statement of Brian P. McGuinness, First Vice President, National Council 
of Investigation and Security Services, Miami, Florida 

Good morning Mr. Chairman and members of the Committee. My name is Brian 
P. McGuinness and I am appearing today on behalf of the National Council of Inves- 
tigation and Security Services. I am first vice president of NCISS and past president 
of the Florida Association of Licensed Investigators. I have been a licensed private 
investigator in Florida for twenty years and before that I was a criminal investi- 
gator for seven years with the Dade County Public Defenders Office. 

I appreciate the opportunity to comment on H.R. 2971, the Social Security Num- 
ber and Identity Theft Prevention Act of 2003. You have asked us to address the 
uses private investigators currently make of Social Security numbers and other per- 
sonally identifiable information and for our views on specific provisions of this bill 
that would affect the private investigator community. 

As a profession that has been trying to help victims through the identity theft 
maze for years, we applaud Congress’ efforts to finally put laws on the books that 
will bring victims some relief. Although a percentage of identity thieves no doubt 
gather their victim’s identities from the Internet, our experience is that most such 
thefts result from the purloining of documents, files, charge slips, credit cards, and 
wallets from restaurants, stores, trash bins, the mails and private property. 

Much of HR 2971 seems to be on the right track, but we are very concerned about 
Sections 107 and 108, which will, in fact, hinder relief for victims and cause many 
unintended consequences. 

A number of years ago, the Federal Trade Commission entered into a consent 
agreement whereby the identifying information that precedes a credit report, which 
is called “header” information, was deemed not part of the credit report and there- 
fore not covered by the F air Credit Reporting Act as a Consumer Report. The “head- 
er” report does not contain any financial information. This information has been an 
invaluable resource for investigators to locate witnesses, heirs, debtors, and to em- 
ploy in all manner of fraud and theft investigations. 

We are unaware of any evidence that credit headers are being used by identity 
thieves for any purpose. Licensed investigators and police use credit headers to lo- 
cate witnesses and suspects. Identity thieves know where their victims are; they 
don’t need to find them. 

Header information is only available through vetted contracts with major credit 
bureaus by legitimate businesses and law enforcement agencies. These information 
providers audit the users of such data, including the use of “stings” to assure com- 
pliance with contract provisions. 

Because the FTC has ruled that investigators rendering reports in connection 
with employment or credit are themselves consumer reporting agencies, the lan- 
guage in Section 108 of HR 2971 appears to eliminate the use of credit headers for 
most legitimate purposes. It will make it impossible for civilian investigators to ob- 
tain or report information necessary to identify suspects and exonerate the innocent 
without first obtaining the written permission of a suspect as required by the FCRA. 
Section 108 has an unintended consequence which would deal a blow to both the 
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civil and criminal justice systems by effectively eliminating access to credit header 
information for the purpose of locating suspects and witnesses. 

Law enforcement agencies have NCIC and many other means at their disposal, 
and are always exempted from legislation restricting access to the same information 
sources that HR 2971 would deny private investigators. As a matter of fairness, 
even law enforcement members admit that restricting access to credit headers will 
tip the scales of justice in favor of the prosecution and augurs against the defend- 
ant’s ability to receive a fair trial. At a time when our justice system is being criti- 
cized for errors proven by DNA evidence, we find it hard to believe that Congress 
would intend to take away a defendant’s primary means of locating witnesses. 

The header search is by far the most important search currently used by inves- 
tigators when locating female witnesses. Since women often change surnames over 
the course of their lives due to marriage or divorce, it makes it even more critical 
to be able to identify them by their SSN. The SSN does not change and allows us 
to locate these otherwise difficult to find witnesses. 

In past hearings, Lexis Nexis has testified that there are 46,000 men in America 
named Bill Jones. Many of them have the same or similar dates of birth. Licensed 
private investigators need to be able to positively differentiate between subjects 
when rendering reports which will be used for many purposes including evidence 
in court proceedings. 

We hope you are also aware that with few exceptions, law enforcement does not 
have the resources to successfully assist identity theft victims. In fact, many victims 
turn to licensed private investigators for assistance. We therefore ask that all of 
Section 108 be deleted. 

Most states have legal jurisdiction over private investigative and security firms. 
They undergo fingerprint-based criminal background checks, are regulated, are test- 
ed and for the most part receive training and often continuing education. We believe 
that regulated licensed private investigators and security firms should be allowed 
continued access to header information. Many of the reports that private investiga- 
tors prepare containing the personally identifiable information that this committee 
seeks to protect are privileged attorney work product. 

We abhor scam fraud artists and rogue information brokers who advertise on the 
Internet to the general public that they will provide information on anybody to any- 
body for a price no matter who the customer. Publication of personally identifiable 
information to the general public can only continue to lead to improper use, theft, 
fraud and even potential physical harm. We support efforts to limit access to such 
data to the general public. We also support any legislation that will curtail such in- 
formation being offered for sale over the Internet to the general public. 

Section 107 

Private investigators, for a fee, as a regular part of their routine, ascertain, col- 
lect, assemble, evaluate and provide their clients documents and reports containing 
personally identifiable information. Such information often includes the Social Secu- 
rity numbers of individuals. Section 107 of HR 2971 would effectively deny us the 
ability to provide our clients with such information. The section provides an exemp- 
tion for law enforcement and the collection of child support. 

But, the exemption should also includeproviders of reports prepared in connection 
with litigation, in anticipation of litigation, due diligence, investigation of insurance 
claims, civil and criminal fraud, criminal defense, identity fraud, and stalking or 
any other violations of law. 

There are appropriate uses for such information which is not only critical for pri- 
vate investigators but for attorneys, journalists, medical researchers, insurance com- 
panies, self regulatory bodies, as well as government and law enforcement agencies. 
Licensed private investigators use the information in fraud prevention, child sup- 
port enforcement, uniting separated families, locating heirs to estates, locating pen- 
sion fund beneficiaries, locating organ and bone marrow donors, to assist those en- 
gaged in significant journalistic endeavors, apprehending criminals, aiding citizens 
in obtaining access to public record information and in assisting the very individuals 
that this legislation seeks to protect. 

Although HR 2971 provides the Attorney General with the authority to provide 
additional exemptions, we believe it is critical for Congress to spell them out in ad- 
vance. The bill, as introduced, would have a substantial deleterious impact on the 
court system and individual victims of crime. Such major issues should be resolved 
by elected officials and not delegated to the Department of Justice. 

There are a number of bills before Congress which would ban the use of the Social 
Security number for any but its intended purpose. Many of these bills do not take 
into consideration the effect of removing the social security number as an identifier. 
We fully appreciate the incredible burdens faced by victims of identity theft. Many 
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of us have had to face these victims. When all other avenues of redress have fallen 
upon deaf ears and often as a last resort, identity fraud victims have turned to pri- 
vate investigators to redeem their name and restore their good reputation. In fact, 
many of us have assisted these victims for little or no remuneration. 

The National Council of Investigation and Security Services holds the position 
that anyone who uses personally identifiable information or financial information 
for illegal purposes be subject to criminal sanctions and heavy fines. We favor the 
implementation of assessing enhanced penalties for aggravated cases, actual dam- 
ages for willful violations, and additional damages allowed by the court for commer- 
cial purposes, disgorgement of profits, attorney’s fees and costs, and additional sanc- 
tions upon the receiver of information that is obtained for unlawful purposes. 

Taking away the tools from the civilian crime fighters and investigators serving 
the justice system is not the way to go about resolving identity theft. Congress 
needs to ensure that exemptions are provided for licensed private investigators on 
legitimate business. Our members have provided leads concerning rogue information 
providers to the FTC in the past. We would also like to see the FTC set up a formal 
liaison with our profession which would allow us to provide evidence on those who 
commit fraud and who tarnish our reputation. 

Concerning this and similar legislation, we in the past surveyed our membership 
about how they have been able to assist victims of identity theft. The following ex- 
amples demonstrate the benefits of permitting licensed private investigators to ac- 
cess essential information from “credit headers.” HR 2971 would deny us this crit- 
ical tool. These anecdotes should give this Committee some idea of the types of cases 
that require this information: 

A past president of NCISS was retained by the New York courts in a guardian- 
ship proceeding to recover over $300,000 in assets stolen from a ninety-seven year- 
old retired Army officer by a neighbor caregiver. Through the use of credit headers 
he was immediately able to determine the identities and locations of the wrong- 
doer’s relatives, properties and eventually their assets that had been taken from the 
victim. It was the initial header check on the suspect that uncovered a Myrtle 
Beach, South Carolina address for him. That information developed leads that the 
victim’s assets had been used to purchase real property in South Carolina, expen- 
sive automobiles and increased the bank account balances of the subject under the 
guise that the 97-year-old victim, who was suffering from dementia, had given his 
life savings as gifts to the suspect. The suspect was to eventually plead guilty and 
was sentenced to three to nine years in state prison for second-degree grand larceny 
and ordered to pay $360,000 in restitution to the estate of the victim, who died a 
month before sentencing of the defendant. 

In Coronado, California, an elderly woman whose apartment building had just 
been renovated suddenly began receiving bills for a credit card that she never used 
and kept in a desk drawer. When she complained to the contractor, he realized 
there were four possible suspect workers and hired a private investigator. The in- 
vestigator verified the credit card was used by a man and wife fitting the descrip- 
tion and in the neighborhood of one of the workers. The suspect was terminated 
while the other three were cleared and their jobs and reputations saved. No prosecu- 
tion resulted. 

In Tennessee, a show dog breeder was being stalked and threatened by e-mail 
from an unknown harasser. She was terrified because she had no idea what the sus- 
pect looked like and she was often exposed in public arenas. The police could not 
help without some identification. Using credit headers and other sources, the pri- 
vate investigator found addresses for the suspect who was using four names, four 
different social security numbers and who had a criminal record. The investigator’s 
report was provided to the police. The same investigator reports she recently located 
and served process on a dead-beat dad and could not have located him without 
using credit headers. 

In New York, a public utility hired our member to conduct a pre-employment 
background investigation for a high level position. A credit report, obtained under 
the FCRA contained two different social security numbers. Running a credit header 
check on the second number revealed a different name and addresses and the inves- 
tigator discovered his true identity. The applicant had adopted the identity of one 
of his former college professors to keep his own less desirable background secret. 

In Atlanta, Georgia, an auto dealership asked our investigator to help an appli- 
cant who claimed his identity had been stolen. An imposter had stolen this man’s 
social security number and date of birth as well as the identity of four other people. 
His criminal record included nine felonies in Georgia and other multi-state offenses. 
The applicant couldn’t understand why he had been turned down for several jobs 
until one potential employer leveled with him and he realized his identity had been 
stolen. Numerous law enforcement agencies told him they couldn’t help him. Our 
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investigator arranged for the applicant to be fingerprinted and the Georgia Bureau 
of Investigation issued him a certificate stating he was not the same person as the 
imposter. He then carried the certificate to the three major credit bureaus to clear 
his name in their files. 

The investigator says had he not helped the victim through this maze, he would 
surely have been arrested in Georgia or Florida where warrants had been issued. 

An investigation in California found a middle-aged suspect had returned home 
after years away and stolen his elderly father’s identity. He went on a spending 
spree in Oregon and California and was not called to answer before both his parents 
passed away. A private investigator was hired by the estate to try to apprehend the 
thief and obtain restitution. Most of his leads involve the use of credit header infor- 
mation. 

A former Dallas police sergeant, now a private investigator, reported he was pur- 
suing a physician who filed bankruptcy following loss of suit for a wrongful death. 
The doctor divorced her husband before the bankruptcy and is now remarried to a 
man with a similar name and date of birth and social security number. The sus- 
picion is that this maneuver served to hide assets due to the victim’s survivors. 

In San Francisco, an investigator reports working a case for a successful business 
owner who started getting statements in the mail saying he owed tens of thousands 
of dollars on computers and other purchases, none of which he knew anything 
about. He found someone had hijacked his identity, opened credit card and store ac- 
counts in his name and had even opened a web page mirroring his web page and 
had an email address similar to his. The San Francisco Police said they would take 
a report, but would not investigate and suggested he go to the Secret Service. Al- 
though losses approached $80,000, the Secret Service said they would not handle 
the case until at least $100,000 is lost. The victim had a suspicion it was an ex- 
employee who lived in Salt Lake City and called the investigator. The agency used 
credit header information to learn that the ex-employee has three names, three or 
four social security numbers, and three different dates of birth on file. 

Here is an investigator’s story from Toledo, Ohio, in his own words, about how 
credit header information is used to locate lost heirs: 

“One of my cases involved a woman whose name was Terri. She was left a size- 
able inheritance by her uncle in the form of a trust. The family had not had any 
contact with her for a number of years, so the attorney handling the trust asked 
for my assistance. By using header information, I was able to eventually determine 
that Terri was recently married and was living someplace in Utah. I was able to 
locate her husband’s relatives and learned that Terri and her husband were des- 
titute and were living out of a pick-up truck either in Utah or Oregon. I sent the 
requisite documentation to Terri in care of her husband’s relatives and she right- 
fully obtained her substantial inheritance. Without access to header information, I 
would not have been able to locate her.” 

The need for the continuation of the investigative profession’s access to the SSN 
header search can be clearly seen from the following example. This example is from 
my own experience as a licensed private investigator attempting to assist a domestic 
maid whose son had been kidnapped by her husband. She had not seen her son in 
five years and had never contemplated hiring an investigator. 

What she did do was mount a letter writing campaign which yielded many letters 
from various empathetic police officials and politicians expressing their regret but 
providing no real answers or concrete assistance. She showed me a stack two inches 
thick of such letters, including one to the president of the United States, her Con- 
gressman, county sheriff, local municipal police chief, etc. 

When she told me that in addition to having her husband’s date of birth, she also 
had his social security number, I became optimistic. I entered the SSN into my 
TransUnion database and immediately learned that the husband had used a West 
Palm Beach address within the previous six months when applying for credit. I 
checked directory assistance and they confirmed that there was a non-published 
telephone number in his name at that address. A five year journey of desperation, 
anguish and frustration was rewarded with success within a five minute period by 
simply having access to header information in the form of an inexpensive database 
search. 

We believe that the identity theft laws recently enacted will help law enforcement 
to prosecute perpetrators once apprehended. But Congress should be aware that 
public law enforcement resources are stretched and crimes of this nature are not 
now a high priority. The losses, though devastating to the victims, are usually be- 
neath the dollar threshold that many departments follow. And the mental toll on 
the victims is unquantifiable. The private sector will have to continue to augment 
public law enforcement. And it should be noted that the hapless victims of this 
crime often have very limited resources. 
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To the extent HR 2971 makes it easier for victims of identity theft to clear their 
credit files and restore their reputation, we commend it. But Congress should pro- 
ceed very carefully before eliminating the very tools used to apprehend the stealers 
of the identities of others or the perpetrators of other criminal acts. 


Chairman SHAW. Thank you. Mr. Buenger. 

STATEMENT OF MICHAEL L. BUENGER, PRESIDENT, CON- 
FERENCE OF STATE COURT ADMINISTRATORS, JEFFERSON 

CITY, MISSOURI 

Mr. BUENGER. Thank you, Mr. Chairman. My name is Mike 
Buenger. I am the President of the national COSCA, and also the 
State Court Administrator for the State of Missouri. The COSCA 
represents the principal court administrative officers in each of the 
50 States, the District of Columbia, the Commonwealth of Puerto 
Rico, the Commonwealth of the Northern Mariana Islands and the 
Territories of American Samoa, Guam and the Virgin Islands. I am 
pleased to present testimony to you today as this Subcommittee ex- 
amines and struggles with the issue of protecting privacy and pre- 
venting the misuse of SSNs. 

Mr. Chairman, State courts handle 97 percent of all judicial pro- 
ceedings in this country. Over 96 million cases are filed annually. 
I give you this statistic to frame the magnitude of the work of the 
State courts of our Nation and so that you can frame the impact 
of legislation such as H.R. 2971 on the courts. For the past several 
years, we have grappled with the issue of protecting privacy and 
private information as it relates to court documents. Although the 
immediate issue before the Subcommittee is protecting privacy of 
SSNs, privacy protection for information and court documents is 
part of a broader issue that involves balancing public access to gov- 
ernment records and the openness of our courts with the legitimate 
privacy interest of citizens and, I might add, the capacity of courts 
to operationally accommodate both privacy and access concerns. 

We have sought to provide guidance to the State court commu- 
nity through a project entitled Public Access to Court Records, both 
the Conference of Chief Justices and COSCA having issued guide- 
lines for policy development by State courts. This guidance outlines 
the issues that courts should address in developing rules and poli- 
cies governing access to court documents. It provides but one ap- 
proach. However, Mr. Chairman, there is no doubt that SSNs are 
contained in many court documents and frequently as mandated by 
Federal and State law. 

For example, Federal law requires us to collect SSNs to track 
deadbeat parents. Court orders and pleadings involving child sup- 
port must bear the parties’ SSNs, again a requirement of Federal 
law. Federal regulations require that garnishment orders for Fed- 
eral postal employees bear the SSN of the garnishee. State courts 
use SSNs to identify parties to a case, to collect fines and crime vic- 
tim restitution and to report criminal history to central reposi- 
tories. Frequently, they are found in documents filed with the court 
for safekeeping, such as discovery documents and deposition testi- 
mony. They are, as noted, frequently used and for good reason. 
They are a needed and unique identifier used by virtually every 
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member of the justice community and the law enforcement commu- 
nity, not just the courts. 

The most important message I can deliver to you today, Mr. 
Chairman, is that COSCA stands ready to work with you in 
crafting solutions to address the problem of identity theft. I think 
it is also important to understand that this is not a problem that 
can be resolved through a mandate. It is complex not only in terms 
of your responsibility to establish balanced public policy but also in 
terms of the ability of the States and in this particular case the 
State courts to actually implement that policy. The threat of iden- 
tity theft is real, and we want to do our part to eliminate it. 

Section 102 of H.R. 2917 is of particular concern to us because 
it would effectively require courts to redact or otherwise prevent 
the display of SSNs from most court documents. This section has 
serious implications for State courts in a variety of contexts. Given 
the volume of cases filed annually in the State courts, the task of 
redacting SSNs from existing documents or those to be filed would 
be daunting. In some circumstances, it puts us at odds with estab- 
lished Federal and State law. 

The SSN may appear in a variety of documents, including finan- 
cial documents that are filed with the court, for example, tax re- 
turns and child support cases, or are appended to official court doc- 
uments such as motions for summary judgment. Restricting access 
to SSNs in such documents is difficult because often such informa- 
tion can be buried in a stack of documents generally not reviewed 
by the court or its clerks until the case is actually heard. 

In conclusion, Mr. Chairman, we recognize the serious role of 
SSNs in incidents of identity theft and the fact that such informa- 
tion is readily available in a host of public records. The current 
state of affairs with regards to the treatment of SSNs provides 
lawbreakers a continuing opportunity to exploit the current system 
at the expense of ordinary Americans. However, there is no simple 
solution and certainly no cheap solution to this problem. Even the 
public policy coming from Congress evidences the complexity of the 
issue by requiring the collection, use and availability of such infor- 
mation and even its display on one hand, and then seeking to re- 
strict its access in others. 

We hope that you will also assist the State courts in dealing with 
the unfunded mandates that H.R. 2971 will present to us. I thank 
you for offering us the opportunity to offer our opinion on this im- 
portant matter. As I said, COSCA stands ready to work with you 
collaboratively and cooperatively in crafting a solution. Thank you, 
sir. 

[The prepared statement of Mr. Buenger follows:] 

Statement of Mike L. Buenger, President, Conference of State Court 
Administrators, Jefferson City, Missouri 

Mr. Chairman and Members of the Subcommittee, 

The Conference of State Court Administrators (COSCA) is pleased to present tes- 
timony on today’s hearing “Enhancing Social Security Number Privacy” as the sub- 
committee examines the issue of protecting privacy and preventing the misuse of 
Social Security Numbers (SSNs). 
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SUMMARY 

Mr. Chairman and members of the subcommittee, for the past several years the 
state court community has been grappling with the issue of protecting privacy, and 
private information, as it relates to court records. Although the immediate issue for 
the committee is protecting the privacy of SSNs, privacy protection for information 
in court records is actually a much broader issue. The use of Social Security Num- 
bers in court records is, thus, a subset of much larger issues that involve balancing 
public access to government records with the legitimate privacy interests of citizens 
with actual capacity of courts to operationally accommodate privacy and public ac- 
cess concerns. To this end, we helped develop guidance for state courts through a 
project entitled “Public Access to Court Records: CCJ/COSCA Guidelines for Policy 
Development by State Courts.” This guidance outlines the issues that courts must 
address in developing rules and policies governing access to court records. The 
Guidelines touch on the use of SSNs in court records and other private information. 
The text of the Guidelines can be found at http://www.courtaccess.org/modelpolicy/ 
180ct2002FinalReport.pdf. Both the Conference of Chief Justices and COSCA adopt- 
ed a resolution endorsing the Guidelines and urged the states to use them in devel- 
oping their own standards, rules, and policies. 

Mr. Chairman, SSNs are pervasive in state court documents, frequently as man- 
dated by state and federal law. For example, federal law requires us to collect SSNs 
for various reasons related to tracking deadbeat parents. By federal law, SSNs must 
appear on pleadings and court orders related to child support. Even federal regula- 
tions require that a SSN must appear on garnishment orders involving postal em- 
ployees. See, 39 CFR 491.3Along with other identifiers, courts use SSNs to associate 
parties to a case, i.e. to determine whether John Smith 1 is different from John 
Smith 2. We use SSNs to collect fines and crime victim restitution, to report crimi- 
nal records to central repositories, and to aid in the enforcement and collection of 
child support. In addition, many SSNs appear in the public record in many types 
of court cases including, but not limited to, bankruptcy, divorce, paternity, and child 
support determination. 

Mr. Chairman, the most important message I can deliver to you today is that the 
Conference stands ready to work with you in crafting solutions to address the prob- 
lem of identity theft. But I think it is also important for the sub-committee and the 
Congress to understand that this is not a problem that can be solved through a sim- 
ple mandate. It is complex not only in terms of your responsibility to establish con- 
sistent public policy but also in terms of the ability of states, and in this case state 
courts, to actually implement that policy. The threat of identity theft is real and we 
want to do our part to eliminate it. We are at the same time concerned about the 
effort to require us to redact or expunge SSNs that appear in public records. We 
feel that this type of requirement could impose an incalculable burden on the state 
courts in this country, both with respect to resources and funding to achieve that 
goal. The cost to fulfill this requirement would be high because many SSNs appear 
in paper documents as well as other hard-to-redact microfilm/microficbe. 

ABOUT COSCA 

Before I begin my remarks, I would like to provide some background on our group 
and our membership. I submit this testimony as the President of the Conference of 
State Court Administrators (COSCA). COSCA was organized in 1955 and is dedi- 
cated to the improvement of state court systems. Its membership consists of the 
principal court administrative officer in each of the fifty states, tbe District of Co- 
lumbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern 
Mariana Islands, and the Territories of American Samoa, Guam, and the Virgin Is- 
lands. A state court administrator implements policy and programs for a statewide 
judicial system. COSCA is a nonprofit corporation endeavoring to increase the effi- 
ciency and fairness of the nation’s state court systems. State courts handle 97% of 
all judicial proceedings in the country, over 96 million cases annually. The purposes 
of COSCA are: 

• To encourage the formulation of fundamental policies, principles, and standards 
for state court administration; 

• To facilitate cooperation, consultation, and exchange of information by and 
among national, state, and local offices and organizations directly concerned 
with court administration; 

• To foster the utilization of the principles and techniques of modern management 
in the field of judicial administration; and 

• To improve administrative practices and procedures and to increase the effi- 
ciency and effectiveness of all courts. 
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Although I do not speak for them, I also would like to tell you about the Con- 
ference of Chief Justices (CCJ), a national organization that represents the top judi- 
cial officers of the 58 states, commonwealths, and territories of the United States. 
Founded in 1949, CCJ is the primary voice for state courts before the federal legisla- 
tive and executive branches and works to promote current legal reforms and im- 
provements in state court administration. COSCA works very closely with CCJ on 
policy development and administration of justice issues. 

NATIONAL EFFORT TO CRAFT PUBLIC ACCESS GUIDELINES TO 
COURT RECORDS 

Our project entitled, “Public Access to Court Records: CCJ/COSCA Guidelines for 
Policy Development by State Courts” was a joint effort of CCJ and COSCA to give 
state court systems and local trial courts assistance in establishing policies and pro- 
cedures that balance the concerns of personal privacy, public access and public safe- 
ty. 

The State Justice Institute (SJI) funded this project in 2001 and the project was 
staffed by the National Center for State Courts (NCSC) and Justice Management 
Institute (JMI). The project received testimony, guidance and comments from a 
broad-based national committee that included representatives from courts (judges, 
court administrators, and clerks), law enforcement, privacy advocates, the media, 
and secondary users of court information. 

The Guidelines recommend the issues that a court must address in developing its 
own rules and policies governing public access to its records. The Guidelines are 
based on the following premises: 

• Retention of the traditional policy that court records are presumptively open to 
public access 

• The criteria for access should be the same regardless of the form of the record 
(paper or electronic), although the manner of access may vary 

• The nature of certain information in some court records is such that remote 
public access to the information in electronic form may be inappropriate, even 
though public access at the courthouse is maintained 

• The nature of the information in some records is such that all public access to 
the information should be precluded, unless authorized by a judge 

• Access policies should be clear, consistently applied, and not subject to interpre- 
tation by individual courts or court personnel 

The Guidelines Committee examined the use of SSNs in current court practices. 
They looked at the inclusion of SSNs in bulk distribution of court records, and infor- 
mation in other documents besides SSNs that courts traditionally protect, such as 
addresses, phone numbers, photographs, medical records, family law proceedings, 
and financial account numbers. Finally, the Committee examined various federal 
laws and requirements governing SSN display and distribution by state and local 
entities. 

On August 1, 2002, CCJ and COSCA endorsed and commended “the Guidelines 
to each state as a starting point and means to assist local officials as they develop 
policies and procedures for their own jurisdictions.” 

STATE COURTS’ INTEREST IN COLLECTING AND USING SOCIAL 
SECURITY NUMBERS 

Why is this question of concern to state courts? Why do state courts need to re- 
quire parties to provide their SSNs in the course of state court litigation? 

Identification of parties. A growing number of court systems are using case man- 
agement information systems in which an individual’s name, address, and telephone 
number are entered once, regardless of the number of cases in which the person is 
a party. Such “party based” systems are rapidly replacing “case based” systems. The 
advantage of these systems is multifold: they enable courts to update an address 
or telephone number for all cases in which the person is a party by a single com- 
puter entry, they provide judges and court personnel with a fuller array of justice 
information, and they allow for cleaner information sharing with other justice com- 
munity participants such as law enforcement, prosecutors, probation systems, and 
the like. Absent the use of unique identifiers such as SSNs, the entire justice com- 
munity would come to a grinding halt and be unable to meet many state and federal 
mandates. SSNs provide a unique identifier by which court personnel can determine 
whether the current “John Smith” is the same person as a previous “John Smith” 
who appeared in an earlier case and whether this was the same “John Smith” re- 
ported to the central criminal records repository. 
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The need for SSNs in the future may be substantially reduced by the use of other 
“unique” identifiers, e.g., biometric identifiers in criminal cases. Moreover, the abil- 
ity to mask SSNs becomes easier as state courts implement sophisticated case man- 
agement systems. Certainly the move to “automate” state courts with high-end tech- 
nology allowing such services as electronic filing can provide opportunities for great- 
ly limiting access to personal information such as SSNs. However, the time and 
costs of moving to such systems necessarily means that the ability to mask or redact 
such information is, for many courts, a future event not something that can or will 
be done overnight simply because there is federal mandate to do so. 

Collection of fees, fines and restitution by courts. SSNs are the universal personal 
identifier for credit references, tax collection, and commercial transactions. 

When courts give a criminal defendant an opportunity to pay an assessment re- 
sulting from a criminal infraction in periodic payments, the court needs to be able 
to function as a collection agency. Having the convicted person’s social security num- 
ber is necessary for use of state tax intercept programs (in which a debt to the state 
is deducted from a taxpayer’s state income tax refund) and other collection activi- 
ties. Moreover, SSNs are often used for purposes such as enforcing criminal fines 
and restitution orders or denying of motor vehicle registration. 

Creation of jury pools and payment of jurors. SSNs are a necessary part of identi- 
fying eligible jurors through a process by which multiple lists (for instance, reg- 
istered voters and registered drivers) are merged to eliminate duplicate records for 
individual citizens in creating a master source list for the random selection of jurors. 
Duplicate records double an individual’s chance of being called for jury duty and re- 
duce the representativeness of jury panels. Some courts use SSNs to pay jurors as 
well. 

Making payments to vendors. SSNs are used as vendor identification numbers to 
keep track of individuals providing services to courts and to report their income to 
state and federal taxing authorities. 

Facilitating the collection of judgments by creditors and government agencies. 
Courts are not the only entities that need to collect judgements. Judgment creditors 
need SSNs to locate a judgment debtor’s assets to levy upon them. Courts often re- 
quire that the judgment debtor make this information available without requiring 
separate discovery proceedings that lengthen the collection process and increase its 
costs. Federal law now requires state courts to place the parties’ SSNs in the 
records relating to divorce decrees, child support orders, and paternity determina- 
tions or acknowledgements in order to facilitate the collection of child support. On 
October 1, 1999, that requirement was extended to include the SSNs of all children 
to whom support is required to be paid. 

Notification to the Social Security Administration of the names of incarcerated and 
absconded persons. The Social Security Administration cuts-off all payments to per- 
sons incarcerated in federal, state or local prisons or jails, and to persons who are 
currently fugitives from justice. The savings to the federal budget from this provi- 
sion are substantial. To implement this process, Social Security Administration 
needs to identify persons who have been sentenced to jail or prison and persons for 
whom warrants have been issued. The agency has traditionally obtained this infor- 
mation from state and local correctional agencies. See 42 USC §402(x)(3). The state 
courts of Maryland are involved in an experimental program to provide such infor- 
mation directly from court records. The Maryland program has two additional future 
advantages for state courts. First, the program offers the possibility of obtaining bet- 
ter addresses for many court records; social security and other welfare agencies 
have the very best address records because of beneficiaries’ obvious interest in 
maintaining their accuracy. Second, cutting off benefits may provide a useful incen- 
tive to those persons subject to outstanding warrants without requiring law enforce- 
ment to expend resources to find and serve such persons. 

Transmitting information to other agencies. In addition to the Social Security Ad- 
ministration, many states provide information from court records to other state 
agencies. A frequently occurring example is the Motor Vehicle Department, to which 
courts send records of traffic violations for enforcement of administrative driver’s li- 
cense revocation processes. These transfers of information often rely upon SSNs to 
ensure that new citations are entered into the correct driver record. 

PROPOSED LEGISLATION 

Mr. Chairman, your legislation, H.R. 2971, the Social Security Number Privacy 
and Identity Theft Prevention Act of 2003, contains the following provision: 

SEC. 102. RESTRICTIONS ON THE SALE OR DISPLAY TO THE GENERAL 
PUBLIC OF SOCIAL SECURITY ACCOUNT NUMBERS BY GOVERNMENTAL 
AGENCIES 



88 


“(x)(I) An executive, legislative, or judicial agency or instrumentality of the Federal 
Government or of a State or political subdivision thereof or trustee appointed in a 
case under title II, United States Code (or person acting as an agent of such an agen- 
cy or instrumentality or trustee) in possession of any individual’s social security ac- 
count number may not sell or display to the general public such number.” 

This section has serious implications for state courts in a variety of contexts. 

For example, federal law requires courts to enter SSNs on court orders granting 
divorces or child support or determining paternity. Some states’ laws contain similar 
requirements in other types of cases. As noted previously, given that over 96 million 
cases are filed annually in state courts, the task of redacting SSNs from existing 
documents is not only daunting, it may actually violate federal law in some cases 
and certainly violates many state “sunshine laws” to the extent that access to docu- 
ments is required. 

SSNs appear in many financial documents, such as tax returns, which are re- 
quired to be filed in court (e.g., for child support determinations) or are appended 
to official court documents, such as motions for summary judgments. Restricting ac- 
cess to SSNs in such documents is difficult because often such information can be 
buried in a stack of documents, which are generally not reviewed by courts or clerks 
until the case is actually heard. 

Courts will have substantial increased labor costs in staff time to redact or strike 
the appearance of SSNs in paper records or in microfilm/microfiche if the above re- 
quirement is imposed. 

In addition, we are unclear whether H.R. 2971 applies to newly made court 
records or all records in a court’s inventory. Obviously, asking courts to retroactively 
expunge or redact social security from all court records would be time consuming 
and expensive. Given the extensive records retention policies applicable to court fil- 
ings, retroactive redaction or masking could be an impossible task in some states. 

Finally, in an effort to make courts and court records more open, many courts are 
now beginning to make available many public records on the internet either as text/ 
character documents or by scanning and placing them online through imaging soft- 
ware (PDF files). While the removal of SSNs in text/character documents may be 
relatively easy in some computer generated records (XML), other scanned records, 
such as PDF files, will be harder to change necessitating more staff and an increase 
in labor costs. 


COSCA RECOMMENDATIONS 

We have recommended that state courts adopt the following policies, unless state 
law directs them otherwise: 

Official court files. State courts should not attempt to expunge or redact SSNs 
that appear in documents that are public records, and certainly this should not be 
required on a retroactive basis. As was mentioned earlier, federal law requires state 
courts to place the parties’ SSNs in the records relating to divorce decrees, child 
support orders, and paternity determinations or acknowledgement in order to facili- 
tate the collection of child support. The purpose of placing that data on judgments 
is not just to provide it to child support enforcement agencies; it is also to provide 
it to the parties themselves for their own private enforcement efforts. Any other ap- 
proach puts the courts in an untenable position — having an affirmative obligation 
to provide judgments in one form to parties and child support enforcement agencies 
and in another form to all other persons. 

This same reasoning applies to income tax returns or other documents containing 
SSNs filed in court. It would be unreasonable, and expensive, to expect courts to 
search every document filed for the existence of SSNs. Further, court staff has no 
business altering documents filed in a case; the SSN may have evidentiary value 
in the case — at the very least to confirm the identity of the purported income tax 
filer. 

Case management information databases. Data in automated information systems 
raises more privacy concerns than information in paper files. Automated data can 
be gathered quickly and in bulk, can be manipulated easily, and can be correlated 
easily with other personal data in electronic form. Data in an automated database 
can also be protected more easily from unauthorized access than data in paper files. 
It is feasible to restrict access to individual fields in a database altogether or to limit 
access to specific persons or to specific categories of persons. Consequently, state 
courts should take steps to restrict access to SSNs appearing in court databases. 
They should not be available to public inquirers. Access to them should be restricted 
to court staff and to other specifically authorized persons (such as child support en- 
forcement agencies) for whose use the information has been gathered. 
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Staff response to queries from the public. When court automated records include 
SSNs for purposes of identifying parties, court staff should be trained not to provide 
those numbers to persons who inquire at the public counter or by telephone. How- 
ever, staff may confirm that the party to a case is the person with a particular SSN 
when the inquirer already has the number and provides it to the court staff mem- 
ber. 

In short, staff may not read out a SSN but may listen to the number and confirm 
that the party in the court’s records is the person with that number. This is the 
same distinction applied to automated data base searches. This distinction is one 
commonly followed in federal and state courts. 

CONCLUSION 

Mr. Chairman, we recognize the serious role of SSNs in incidences of identity 
theft and the fact that such information is readily available in a host of public 
records. The current state of affairs with regard to the treatment of SSNs provides 
lawbreakers the continued opportunity to exploit the current system at the expense 
of ordinary Americans. The threat of identity theft is real and we want to do our 
part to eliminate it. However, as previously noted, there is no simple solution and 
certainly no cheap solution to this problem. Even tbe public policy coming from Con- 
gress evidences the complexity of the issue by requiring the collection, use and 
availability of such information on one hand and then seeking to restrict access to 
its use on the other. We also hope that you assist the state courts in dealing with 
the unfunded mandate H.R. 2971 presents. 

I have presented several ways our courts utilize SSNs and finding solutions to 
protect an individual’s privacy will be complex and difficult. Many state courts are 
already taking steps to fashion solutions in response to the problem. Washington 
state, for example, is pioneering an innovative solution where they are creating two 
sets of court records: a public and a private one. Other states are experimenting 
with different approaches. 


Chairman SHAW. Thank you for your testimony. Mr. Cate. 

STATEMENT OF FRED H. CATE, PROFESSOR OF LAW, UNIVER- 
SITY OF INDIANA-BLOOMINGTON, BLOOMINGTON, INDIANA 

Mr. CATE. Thank you very much, Mr. Chairman. I want to join 
the chorus of those thanking you for your steadfastness in having 
pursued both efforts to improve the integrity of the Social Security 
system and to fight identity theft. We are well-served by those ef- 
forts and well-served by this hearing today. 

As you well know, SSNs are used throughout both the public and 
private sectors for two very important and closely linked roles. One 
is to accurately link information, if you will, connect information to 
the file. Maybe one example will be sufficient to suggest the 
daunting task this really is. In the credit reporting industry in this 
country, 3 major national credit reporting agencies process 2 billion 
pieces of personal data on 180 million active consumers every 
month. Getting the right data in the right file is a considerable 
challenge. 

The second role is, of course, to facilitate identification of individ- 
uals; and, again, credit reporting may be a useful example. The 3 
credit reporting bureaus generate 600 million credit reports, and 
one of the uses of SSNs is to link the individual to the file so that 
it is then possible for the retailer or lender or whoever is request- 
ing that file to actually determine that the individual is who he or 
she claims to be. This system of ubiquitous, widely available na- 
tional SSNs has yielded many benefits, and you have heard of 
many of these over the past years. These are not merely commer- 
cial, although the commercial ones are certainly quite important. 
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I would just take a moment to say we often think of the commer- 
cial benefits in negative terms, identifying people who have de- 
faulted on loans or filed for bankruptcy, but the commercial bene- 
fits are also quite positive by allowing individuals to benefit from 
their own positive behavior, their good credit records, and it is pro- 
tecting those good credit records that SSNs play a key role in, 
which are particularly important in helping to reduce frauds by 
linking the individual to the file so that it is possible to verify their 
identity. 

We have already heard about the use for location. I would refer 
you to testimony before this Subcommittee 3 years ago in which 
you heard about the impact on pension beneficiaries, that the addi- 
tion of the SSN to name and address information increased the 
likelihood of finding a pension beneficiary from 8 percent to 85 per- 
cent, a more than tenfold increase by virtue of having access to the 
SSN. Law enforcement, of course, for years has had access and 
made use of SSNs; and in the days and months since 9/11 we have 
discovered new security uses and available benefits that SSNs gen- 
erate. 

Let me be clear: when we think about the programs that Con- 
gress and the Administration have put in place or are considering 
for border security, for airline security and other forms of national 
security, the question of SSN availability is only goes to the ques- 
tion of making those programs more accurate. It may very well be 
that you do not wish those programs to go forward, but whether 
or not they go forward it is clear we want them to be as accurate 
as possible, and that, of course, is what SSNs help make possible. 

This, then, reflects a problem with the current bill. Let me say 
there are many aspects of the current bill that are very desirable, 
very laudable: efforts to increase the penalties for the misuse of 
SSNs, to enhance the efficiency and oversight over the assignment 
of SSNs, to get SSNs off of identity documents where they do not 
belong. Nevertheless, the effort to restrict disclosure subject to cer- 
tain exceptions in an effort to protect against identity theft, all of 
my research suggests will be not only ineffective but counter- 
productive. There are a number of reasons for this, and I will con- 
clude by touching on those. 

First, the issue is not just use of SSNs. It is fine to say that the 
Attorney General can adopt exceptions so that SSNs can be used 
in national security matters. However, of course, what most mat- 
ters is that the SSNs were available when the data were collected 
so that the data were properly placed in the correct file. Second, 
the two-tier system seems unlikely to work. Maintaining records, 
whether in the public sector or private, in which SSNs are reflected 
in one version of the records but not in the others creates an ex- 
traordinary burden. 

Third, it is not clear that most cases of identity theft would be 
in any way affected by this bill. The FTC’s September 2003, study 
on identity theft indicated that 76 percent of identity theft cases 
involved a friend, family Member, coworker, neighbor or an em- 
ployee of somebody who has lawful access to the SSN. Restricting 
the further transmission or the display of the SSN would not be 
relevant in those cases, the vast majority of cases. 



91 


Finally, there are far more important steps, far more urgent 
steps, that Congress could and should take to help protect against 
identity theft and to reduce the role of SSNs in identity theft. I 
would point, for example, to Ms. Foss’s three suggestions, which 
strike me as excellent, that those who are responsible for identi- 
fying people in connection with their credit reports should be given 
incentives to make more certain identification, increased funding 
for enforcement, more funding for agencies like the SSA. At the 
end of the day, while Congress is concerned with passage of the 
FACT Act, about accuracy of credit reports and other databases 
and ensuring that those are used and applied as accurately as pos- 
sible, restricting access to SSNs is likely to have the opposite effect. 
Thank you. 

[The prepared statement of Mr. Cate follows:] 

Statement of Fred H. Cate, Professor of Law, University of Indiana- 
Bloomington, Bloomington, Indiana 

My name is Fred Cate, and I am a Distinguished Professor and director of the 
Center for Applied Cybersecurity Research at IndianaUniversity, and a senior policy 
advisor at the Center for Information Policy Leadership at Hunton & Williams. For 
the past 15 years, I have researched, written, and taught about information laws 
issues generally, and privacy law issues specifically. I directed the Electronic Infor- 
mation Privacy and Commerce Study for the Brookings Institution, was a member 
of the Federal Trade Commission’s Advisory Committee on Online Access and Secu- 
rity, and served as reporter for the recent Department of Defense Technology and 
Privacy Advisory Committee. A brief biographical statement is attached. 

I appreciate the opportunity to testify today, and I am doing so on my own behalf. 
My views should not be attributed to Indiana University or to any other institution 
or person. 

The Essential Role of Social Security Numbers 

My research on information flows in both public and private sectors, and all of 
the other research in this field with which I am familiar, highlights the need for, 
and difficulty of, accurately identifying individuals and attributing information 
about them. At first glance, these may seem like straightforward activities, but they 
have proved exceptionally difficult. How do I know that the person presenting him- 
self — to apply for instant credit, seek a government benefit, or board an aircraft — 
is who he claims to be? And how do I know that the data I have about him is cor- 
rectly associated with the right person? 

One example may suffice to suggest the magnitude of this challenge. The three 
national consumer reporting agencies process two billion pieces of personal data on 
180 million active consumers every month to generate 600 million credit reports a 
year. Making certain that each of those two billion pieces of data is placed in the 
right one of 180 million files and that each file is provided only in connection with 
the individual it concerns is a daunting task. 

The challenge is exacerbated by many factors, including: 

• The frequency of common names (e.g., there are more than 60,000 John Smiths 
in the United States alone), and the fact that names are not constant, thanks 
in part to 2.3 million marriages and 1.1 million divorces every year. 1 

• The variety of addresses available to many people (e.g., home, office, vacation 
home, Post Office box), the fact that several people may share the same ad- 
dress, and the speed with which addresses and telephone numbers change: ac- 
cording to the U.S. Postal Service, approximately 17 percent of the U.S. popu- 
lation — about 43 million Americans — changes addresses every year; 2.6 million 
businesses file change-of-address forms every year. 2 

• The inconsistencies with which we record names (e.g., J. Smith, J.Q. Smith, 
John Q. Smith) and addresses (e.g., “123 Main,” “123 Main Street,” “123 Main 
St.,” “123 S. Main Street,” “123 Main Street, Apt. B”). 


1 National Center for Health Statistics, National Vital Statistics Reports, vol. 51, no. 8, May 
19, 2003, at 1, table A. 

2 United States Postal Service Department of Public Affairs and Communications, Latest Facts 
Update, June 24, 2002. 
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• The spread of first telephone and then Internet technologies, the increased mo- 
bility of the population, and the development of truly national competition mean 
that fewer transactions are conducted face-to-face, much less with people we 
know. 

As a result of these and other factors, the need for a unique, ubiquitous, national, 
constant, and authoritative identifier has become inescapable. Many activities in 
which we engage in both public and private sectors are impossible or impractical 
without it. That is why the Social Security Number has evolved to fill this role: 
modern government and business activities required it to identify individuals, and 
ensure that information about one individual is not erroneously attributed to an- 
other individual. These two functions are often interrelated. 

The identification function is often misunderstood. Obviously, the fact that an in- 
dividual presents a Social Security Number does not prove that he or she is the per- 
son that the Social Security Number identifies. Rather, the Social Security Number 
provides an efficient, reliable way of locating a credit report or other record con- 
taining information that can then be used to verify the identity of a person. So, for 
example, if I apply for instant credit at a retailer, the retailer may ask for my Social 
Security Number as a way of locating a summary credit report about me. That cred- 
it report will list, among other things, my name, address, phone number, past ad- 
dresses, and other identifying information. The retailer can then compare the infor- 
mation I have put on the instant credit application with the information contained 
in the credit report to determine if I am who I claim to be. 

Two points are critical here: First, knowing my Social Security Number alone does 
not get me credit; it is merely a quick way of locating reliable information about 
me that then can be used to verify my identity. If you don’t believe me, walk in 
to any Target or Wal-mart or other retailer and try to obtain instant credit by pre- 
senting your Social Security Number alone. 

The second critical point is that the underlying data store must be accurate and 
reliable. Social Security Numbers play an essential role here as well by helping to 
ensure that data are linked to the right individuals and that subsequent users of 
those data have confidence in the accuracy and completeness of the data. When you 
apply for instant credit or an auto loan or a mortgage the lender wants to know 
that it is seeing an accurate and complete picture of your creditworthiness and that 
there will be reliable, affordable ways of determining if you declare bankruptcy or 
overextend yourself on credit in the future. Social Security Numbers facilitate the 
databases that do this. 

Benefits of Ubiquitous Social Security Numbers 

The availability and reliability of Social Security Numbers makes possible accu- 
rate and efficient national credit reporting and directly contributes to greater con- 
sumer choice, lower prices and interest rates, more widespread and affordable home 
ownership, and other benefits. Social Security Numbers facilitate commerce in other 
ways, for example, by making it easier to identify consumers remotely, thereby en- 
hancing lender and seller confidence and reducing fraud. 

The benefits of accessible Social Security Numbers are not limited to commerce. 
Social Security Numbers also play critical roles in identifying and locating missing 
family members, owners of lost or stolen property, heirs, pension beneficiaries, 
organ and tissue donors, suspects, witnesses in criminal and civil matters, tax evad- 
ers, and parents who are delinquent in child support payments. Just as with credit 
reporting, Social Security Numbers — often combined with other information, such as 
name — make it possible to construct accurate, comprehensive public record and 
third-party databases and search them quickly and reliably. Paula LeRoy from Pen- 
sion Benefit Information testified before this subcommittee in 2001 that the pres- 
ence of a Social Security Number increases the chance of locating a pension bene- 
ficiary from less than 8 percent to more than 85 percent — a greater than ten-fold 
increase. 3 Moreover, Social Security Numbers can overcome inconsistencies in 
names or address or errors in the way this information is recorded. 

Social Security Numbers are critical to identity verification and background 
checks required for airline employees, school bus drivers, child care workers. De- 
fense Department and intelligence agency employees, and congressional staff. Post- 
September 11 programs for enhanced border, critical infrastructure, and passenger 
facility security all depend on being able to identify individuals and asses the risk 
they present by quickly connecting to accurate information about them. This is a 


3 Hearing on Protecting Privacy and Preventing Misuse of Social Security Numbers before the 
Subcom.on Social Security of the House Comm, on Ways and Means, May 22, 2001 (statement 
of Paula Leroy). 
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substantial challenge, as stressed by the recent final report of the Department of 
Defense’s Technology and Privacy Advisory Committee. 4 Social Security Numbers 
are essential to this task. 

The essential roles played by Social Security Numbers highlight the importance 
of today’s hearing and of your longstanding efforts, Mr. Chairman, and those of this 
subcommittee to ensure the integrity and security of Social Security Numbers and 
to protect against their misuse. We must ensure that Social Security Numbers are 
accurate, unique, and available for responsible use. H.R. 2971 takes some important 
steps in this direction, for example, by getting Social Security Numbers off of identi- 
fication cards and checks where they do not need to be displayed, and enhancing 
protections within the Social Security Administration for ensuring that Social Secu- 
rity Numbers are issued appropriately and securely. However, the breadth and im- 
portance of the roles played by Social Security Numbers raise concerns about some 
of the restrictions posed by H.R. 2971. 

The Problem of Restricting Access Except for Specified Uses 

H.R. 2971 would broadly restrict the “sale, purchase or display” of Social Security 
Numbers, subject to exceptions for certain uses — for example, credit reporting and 
national security. I applaud your attention to these critical needs. The problem, 
however, is that Social Security Numbers need to be associated with the underlying 
data from the start to ensure that they are included in appropriate databases and 
made part of the right files. So, for example, provisions authorizing the Attorney 
General to permit certain uses for national security purposes are important, but al- 
most certain to be ineffective, because national security and law enforcement offi- 
cials need — and regularly use — databases constructed for other purposes to access 
routine innocuous data to determine the risk that an individual may present. It is 
fine for the Attorney General to require that an individual entering a government 
facility or boarding an aircraft present a Social Security Number, but it will not 
matter at all if those numbers cannot be used to access properly segregated data 
in existing databases. 

The FBI and other law enforcement agencies, for example, routinely access aggre- 
gate data collected and stored by Acxiom, ChoicePoint, LexisNexis, and other pro- 
viders for many commercial uses. Allowing the FBI to use Social Security Numbers 
is important, but for the data to be reliable, the providers must have been permitted 
to use Social Security Numbers all along, and the government and private entities 
that supplied data to them must also have used them. Focusing only on the end 
user is inadequate. 

The focus on use also ignores the fact that national security and law enforcement 
uses of Social Security Numbers frequently involve databases created for other pur- 
poses. Those other purposes subsidize the national security and law enforcement 
uses that the bill is likely to permit; if Social Security Numbers cannot be provided 
for those other purposes, they will not be available for the national security and law 
enforcement uses either. 

The limitation of the display restriction to “the general public” is unlikely to ame- 
liorate this risk, because of the breadth, vagueness, and circularity of the definition 
given the phrase “display to the general public”: “to make such number available 
in any other manner intended to provide access to the general public.” Moreover, 
as the General Accounting Office noted in its 1999 report to you, it is difficult to 
imagine that many data providers will undertake the cost and effort of maintaining 
two sets of data — one without Social Security Numbers for display to the general 
public and one without for other uses — or that data from which Social Security 
Numbers have been removed or obscured can be maintained, aggregated, and filed 
accurately. 5 In addition, because violation of this provision is made a crime, subject 
to five years imprisonment, it seems likely that most businesses will steer clear of 
any activity that might be considered “display to the general public,” even if that 
means no longer providing valuable services that may very well continue to be legal. 

The history of information flows is one of constantly evolving new and valuable 
uses. If those uses have to be approved one at a time through a legislative or regu- 
latory process, they are less likely to evolve as quickly or to be as affordable when 
they do. Regulatory barriers might very well have restricted the unanticipated use 
of commercial records for locating parents delinquent with child support payments 
or retirees entitled to pension benefits. These uses were not anticipated when the 


4 U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding Pri- 
vacy in the Fight Against Terrorism 36-38 (2004). 

5 General Accounting Office, Social Security: Government and Commercial Use of the Social 
Security Number is Widespread (GAO/HEHS-99— 28) (1999). 
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databases on which they rely were first created, but they are valuable and impor- 
tant today. 

Rulemaking Authority and Lack of Preemption 

The many and vital benefits that the public enjoys as a result of ubiquitous Social 
Security Numbers are also threatened by the broad discretion given the Attorney 
General as to whether, and if so how, he might create exceptions to the bill’s restric- 
tions. As we have seen, any meaningful exception would likely result in undercut- 
ting significant portions of the bill. Narrower exceptions run the risk of not achiev- 
ing the goals they are designed to serve and/or placing private — and public-sector 
custodians in the untenable position of maintaining duplicate databases or sup- 
plying data that may not be accurate or complete. The broad discretion given the 
Attorney General also creates a new regulator, parallel with the FTC which has 
long had authority in this area. 

What is most surprising, however, in view of the need for a truly national identi- 
fier for national security, law enforcement, and commercial purposes is that the bill 
does not appear to expressly preempt state laws and regulations concerning the dis- 
closure and use of Social Security Numbers. As Congress acknowledged last year 
with passage of the Fair and Accurate Credit Transactions Act, it is difficult to 
imagine anything more intrinsically national in scope than the creation of accurate, 
complete databases necessary to support national commerce, national security, na- 
tionwide law enforcement, and the fight against identity theft. 

Incentives for Inaccuracy 

Social Security Numbers are critical for maintaining data about individuals accu- 
rately. H.R. 2971, by restricting the use of Social Security Numbers, threatens to 
make databases less accurate. This is especially likely in the face of the proposed 
restriction on uses of credit header information, which is often the source of accu- 
rate, up-to-date data necessary to identify and locate individuals and which is al- 
ready the subject of existing financial privacy law. 

Nowhere is H.R. 2971’s threat to accuracy more clear than in the provision pro- 
hibiting a person from doing business with an individual who will not provide a So- 
cial Security Number, unless federal law requires disclosure of the Social Security 
Number. The federal government has repeatedly acknowledged that it cannot main- 
tain accurate records without access to Social Security Numbers; that is why the 
government requires them in such a wide range of settings even where no question 
of Social Security benefits is involved. But under this provision, the law would 
refuse to acknowledge that businesses face the same need; a business cannot refuse 
to provide a product or service to an individual who refuses to disclose his Social 
Security Number, even if that number is necessary to provide the product or service. 
The net result is certain to be data less able to be linked accurately with the indi- 
vidual it concerns — an ironic outcome at the same time as Congress has mandated 
the FTC and other regulators explore ways of improving accuracy in credit reports 
and other databases. 

Social Security Numbers and Identity Theft 

The motivation behind proposed new restrictions on the use and availability of So- 
cial Security Numbers is preventing identity theft. Identity theft is a growing 
scourge of modern life. It takes a toll not only on the economy and businesses, who 
bear the lion’s share of economic loss associated with the crime, but also on individ- 
uals who struggle sometimes for years to correct false information — information 
wrongly placed— in their commercial or government records. It is certain that much 
more needs to be done to address the rising tide of identity theft; my research sug- 
gests that restricting Social Security Numbers in government and commercial 
records is not the right step. 

While we do not know as much as we need to about identity theft, thanks to the 
efforts of FTC and others, one important fact we are learning is that much — perhaps 
most — identity theft is not committed by a stranger, but by a family member, friend, 
or co-worker. According to the FTC’s Synovate study of identity theft, published in 
September 2003 and based on more than 4,000 interviews, of the one-quarter of 
identity theft cases in which the victim knew the identity the perpetrator, 35 per- 
cent involved a “family member or relative” and another 18 percent involved a 
friend or neighbor. Another 23 percent of cases involved someone who worked at a 
company or financial institution that held the victim’s financial information. 6 Taken 
together, 76 percent of cases in which the perpetrator did identify the thief did not 


Federal Trade Commission, Identity Theft Survey Report at 28-29 (2003). 



95 


involve access to third-party data (e.g., commercial or public records) that appears 
to be the target of H.R. 2971. 

In the remaining 24 percent of cases that might be affected by H.R. 2971, the role 
played by Social Security Numbers in identity theft is apparently the same as that 
played in other settings — namely, to link an individual to a database file (most often 
a credit report). Given the many valuable uses of Social Security Numbers and the 
many ways in which those numbers are available, it would be far more efficient, 
as well as more broadly effective, to focus on ways for improving the identification 
of the person with his file, rather than attempting to restrict access to the Social 
Security Number in the first place. So, for example, the law might creative incen- 
tives for credit grantors to take additional steps to ensure that the person is who 
he claims to be. This would held deter not only the 24 percent of identity theft cases 
that involve a stranger, but the other 76 percent that involve a friend, family mem- 
ber, or employee of a business with whom the victim has a relationship. 

While our knowledge about identity theft is still developing, we do know that ac- 
curate Social Security Number information, attached to all financial information, is 
critical to fighting identity theft and to remedying it when it does happen. Social 
Security Numbers — if unique and reliable — are critical to preventing the granting 
of credit in somebody else’s name. They are critical to keeping bad data out of inno- 
cent people’s files. They are critical to identifying identity theft when it occurs and 
notifying victims. Yet H.R. 2971 seems intended and likely to diminish their avail- 
ability. 

The FTC study reports that businesses lost $47.6 billion due to identity theft. 7 
We should certainly be hesitant before imposing restrictions on Social Security 
Numbers that could add to that cost, especially if we cannot identify clear specific 
benefits from those restrictions. In addition, countless hearings, interviews with 
identity theft victims, and studies have shown that the greatest burden most iden- 
tity theft victims face is clearing their good names. We should be hesitant before 
doing anything that would make that already difficult process any harder. 

Finally, I would just note there is some risk of getting caught in an unending 
cycle. The need for a ubiquitous, reliable, unique identifier is not going to go away. 
If legislation makes Social Security Numbers unavailable, government and industry 
will devise another system of numbers. If Social Security Numbers today play a sig- 
nificant role in identity theft — and I have not seen evidence that they do — what 
leads us to think that the identifying number of the next decade won’t play that 
same role? 

Conclusion 

Ubiquitous Social Security Numbers help identify people and ensure that informa- 
tion is associated with the correct person. These two critical roles are essential to 
many valuable activities — from facilitating national competition to locating heirs 
and missing children to enhancing national security. Accessible Social Security 
Numbers are also critical to preventing, detecting, and remedying identity theft, yet 
they appear to play little if any role in contributing to most cases of identity theft. 
This subcommittee would be well advised to continue its careful study of these 
issues; to enlist the FTC, the Social Security Administration, and other appropriate 
agencies in carrying out the research identified in H.R. 2971; to enact those meas- 
ures necessary to enhance the integrity of the systems by which Social Security 
Numbers are created and assigned; to strengthen criminal penalties against the de- 
ceptive or fraudulent use of Social Security Numbers; and to identify and adopt spe- 
cific measures to help victims of identity theft reclaim their good names easily and 
quickly. But I would urge the greatest caution before proceeding with any restric- 
tions on the productive and value uses of Social Security Numbers necessary to the 
benefits consumers enjoy today, our economic resiliency, the prevention and detec- 
tion of crime, and our national security. 


Chairman SHAW. Thank you. Mr. Mierzwinski. 

STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PRO- 
GRAM DIRECTOR, U.S. PUBLIC INTEREST RESEARCH GROUP 

Mr. MIERZWINSKI. Thank you, Mr. Chairman. It is a pleasure 
to be back before the Committee. On behalf of the State PIRG. I 


7 Id. at 7, table 2. 
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would like to offer our views on SSN privacy, identity theft, and 
related matters. Again, I also thank you for your long-time leader- 
ship on keeping these issues before Capitol Hill. I realize it is com- 
plex to enact a bill that has the jurisdictional breadth of your bill, 
but we think it is important, and we encourage you to keep going 
forward. 

I want to make three points today, first on identity theft, then 
on Nation and its inadequacies and, third, on the need for your bill. 
Identity theft is not rocket science. Everyone agrees that anybody 
with no criminal skill and little physical risk, if any at all, can com- 
mit identity theft because of two factors, in my opinion, my profes- 
sional opinion, I think that are agreed on by most experts in the 
field. The first factor is the ubiquitousness of the SSN. Your finan- 
cial DNA is easily available out there. 

The second factor is the sloppy practices of credit reporting agen- 
cies and creditors when they issue credit. They issue credit not 
based on a number of matching points of identity. As Mr. Beales 
pointed out the FTC will be looking at ways to increase the number 
of matches that are required as part of a study under Nation 
based, by the way, on California law, but because the instant credit 
context often involves merely a name and a social. They don’t check 
for an extra address or whether the address matches or a previous 
address, and it is just very simple to obtain instant credit with a 
name, a social and any other address that you might have. 

In our first studies done 8 or 9 years ago, we had no data on how 
extensive the problem was, but we did know that the problem was 
serious for consumers. We found in the year 2000, based on a sur- 
vey, that consumers spent 175 hours clearing $17,000 worth of 
fraudulent credit off of their accounts and spent over $800 in out- 
of-pocket expenses trying to clear their names. That, of course, 
doesn’t begin to measure the emotional distress. 

So, the victims routinely tell us that they don’t often know how 
the identity theft occurred. Some of them, to be sure, it happened 
because of a relative. Increasingly, identity theft, because it is such 
a simple crime, is being taught in the prison yards. I have been 
told recently that it is a business model for methamphetamine 
gangs. They like to stay up at night, as you might guess, and they 
often go dumpster diving and collecting financial DNA and other 
information. 

Identity thieves also often take jobs — as part of gangs again, not 
relatives or brothers or friends. They will often take jobs as tem- 
porary administrative employees solely to harvest SSNs. So, the 
ubiquity of the SSN is out there. It is a big problem, and all the 
police that we have interviewed for our most recent reports, again, 
agree that the availability of the SSN is a significant problem. So, 
I would respectfully disagree with Professor Cate that the report 
suggests that it is not a problem. It is. The flaws in Nation, it is 
preemptive. We opposed final passage because it took away the lab- 
oratories of democracy, all the good ideas in fact that came from 
State law, yet Nation takes away the right of the States to enact 
most State laws. 

Second, there is no private right of action in Nation for many of 
the new rights that consumers have gained. Third, some of the 
rights in Nation to restore and clear your name are only possible 
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if you file a police report. Many police don’t take police reports. So, 
additional action is needed at the State level to give victims more 
ability to take advantage of Nation. Finally, the FACT Act doesn’t 
protect SSNs; and that is why we need your bill. We need your bill 
to protect SSNs. 

Also, I would disagree with the notion that we need credit head- 
ers in society today. We think section 108 banning credit headers 
is a very important section. I have outlined in my testimony in de- 
tail why we think that the credit bureaus are now using the notice 
and opt-out privileges or conditions of Gramm-Leach-Bliley to col- 
lect SSNs from individuals, because, in fact, our reading of Trans 
Union II, a case upheld by the D.C. Circuit Court, is that credit bu- 
reaus can no longer use SSNs in credit headers. They can use the 
old ones they previously collected, but unless they provide notice 
and opt out they cannot. So, we think that your bill will perpetuate 
and narrow even further what the agencies have done in the 
Gramm-Leach-Bliley rules which were upheld in that court deci- 
sion. 

The last point I want to make, I want to echo Mr. Hoofnagle’s 
remarks on the refusal to do business provision. I know you have 
long stated that a video store should not be able to ask you for your 
SSN as a condition of renting a video. We agree, and we think that 
that is one of the most important sections of your bill. I think that 
if you tell the average American that you are going to put their 
SSN back in the box that Congress originally intended it to be in, 
that it can only be used for Social Security purposes, Medicaid pur- 
poses, tax purposes, they will be very happy with your legislation. 
Thank you. 

[The prepared statement of Mr. Mierzwinski follows:] 

Statement of Edmund Mierzwinski, Consumer Program Director, U.S. 

Public Interest Research Group 

Chairman Shaw, Rep. Matsui and members of the committee: We are pleased to 
again present the views of the U.S. Public Interest Research Group on ways to im- 
prove citizen and consumer privacy by protecting the Social Security Number from 
misuse and misappropriation for fraudulent purposes, including but not limited to, 
identity theft. As you know, U.S. PIRG serves as the national lobbying office for 
state Public Interest Research Groups, which are non-profit and non-partisan public 
interest advocacy groups active around the country. 

Summary 

U.S. PIRG believes that the widespread availability of the Social Security Number 
(SSN), the key to your financial identity, contributes to identity theft, 1 which is one 
of the nation’s fastest growing white-collar crimes. According to a 2003 survey by 
the Federal Trade Commission (FTC), nearly ten million Americans in the past year 
and one in eight adult Americans in the last five years has been a victim of identity 
theft. 2 While the 2003 enactment of the Fair and Accurate Credit Transactions Act 


1 The state PIRGs have studied credit reporting and identity theft for fifteen years. See, for 
example, “Nowhere To Turn”, Benner, Givens and Mierzwinski, CALPIRG and Privacy Rights 
Clearinghouse, 1 May 2000 at http://calpirg.org/CA.asp?id2=3683&id3=CA& We have released 
two previous reports on identity theft “Theft of Identity: The Consumer X-Files”, CALPIRG and 
US PIRG, 1996 and “Theft of Identity II: Return to the Consumer X— Files”, CALPIRG and US 
PIRG, 1997, as well as four reports on errors by credit reporting agencies since 1991, most re- 
cently “Mistakes Do Happen,” 1998. For additional details, see testimony of Edmund 
Mierzwinski before the Senate Banking Committee, 31 July 2003, at http://www.pirg.org/con- 
sumer/pdfs/consumer3 ljulymierzwinski.PDF 

2 See Federal Trade Commission “Identity Theft Report,” released 3 September 2003, prepared 
by Synovate at http://www.ftc.gov/opa/2003/09/idtheft.htm 
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(FACT Act ) 3 may reduce some of the sloppy credit bureau and creditor practices 4 
that make it easy to open a fraudulent account in someone else’s name, it is still 
incumbent on this committee to take additional steps to protect the Social Security 
Number. If the SSN is available in fewer places, on fewer documents and used for 
fewer commercial transactions or database identifiers when it shouldn’t be, identity 
thieves as well as stalkers 5 and even terrorists 6 will be less able to harvest it for 
misuse. It is well-documented, for example, that identity thieves will often seek em- 
ployment as temporary office employees, solely to harvest SSN and other bits of “fi- 
nancial DNA.” Identity theft is a serious crime. It costs the economy billions and 
wreaks untold havoc on the lives of hard-working Americans who face the emotional 
distress and nightmare of clearing their names. 

In addition, limiting the sale, purchase and display of the SSN in the private sec- 
tor extends important privacy principles of the U.S. Privacy Act that have generally 
operated to protect privacy in government uses of information to also protect privacy 
in commercial uses of information, where consumers have generally only been pro- 
tected by a patchwork of modest safeguards. As a result of the permissive avail- 
ability of SSNs for use in the private sector, the SSN has leaked into use in all as- 
pects of commercial transactions. 

Your bill contains two important provisions we have long supported. First, it ex- 
tends a strong anti-coercion provision that will limit private sector use of the Social 
Security Number by making it an unfair trade practice to refuse to do business with 
a consumer who refuses to provide an SSN. Second, your bill fully closes the court- 
narrowed credit header loophole, which has allowed secondary sale and use of Social 
Security Numbers without consent by credit bureaus, outside of the protections of 
the Fair Credit Reporting Act (FCRA). 

In addition, your bill imposes important restrictions on the sale, display and use 
of the Social Security Number. For example the bill bans display on government- 
issued checks, on government or private sector employee and benefit ID cards and 
on drivers’ licenses. It generally bans display, purchase or sale in the private sector. 
Your bill restricts use of SSNs by prison labor, following the well-publicized 
Metromail scandal involving a convicted felon who stalked a grandmother by tele- 


3 The identity theft epidemic was not the spark that kindled passage of the FACT Act. Con- 
gress had ignored identity theft for years Expiration of certain time-limited restrictions on state 
authority to enact stronger credit and privacy laws drove industry to support permanent exten- 
sion of the preemption of state laws. Although the new law includes several elements of PIRG’s 
long-sought reform platform, the bill’s price was unacceptable, since Congress permanently re- 
stricted most state rights to enact stronger laws, even though the best parts of the law are based 
on recent state laws. Both the Fair and Accurate Credit Transactions Act of 2003 (PL 108-159, 
12/04/03) and the FCRA as amended are available at the FTC website at http://www.ftc.gov/os/ 
statutes/fcrajump.htm PIRG maintains an archive of FACT Act documents at http:// 
www.pirg.org/consumer/fcra.htm 

4 Financial identity theft requires little criminal skill and no physical risk. Identity thieves 
armed with only your name and SSN exploit the creditor/credit bureau practice — extremely 
prevalent in the “instant credit” context, of matching only these two identifiers in the credit 
granting process. Conversely, since consumers are not trusted users, as are creditors, a credit 
bureau requires a consumer, to obtain his or her own credit report, to provide a full name, an 
SSN, an address, previous addresses for the past five year and, often, a xerox copy of a drivers’ 
license or utility bill showing that same address. Of course, identity thieves are not seeking to 
obtain your credit report, merely to obtain credit in your name at their address. While certain 
FACT Act provisions are designed to increase creditor and credit bureau verification before ac- 
count opening, limiting the availability of the SSN will make it harder to obtain your “financial 
DNA” and use it. 

5 Amy Boyer was the first known victim of an Internet stalker. A man named Youens tracked 
her with confidential information, including her Social Security Number, allegedly obtained 
through an Internet information broker. EPIC maintains an Amy Boyer archive at http:// 
www.epic.org/privacy/boyer/ See PIRG’s archived fact sheet at http://www.pirg.org/consumer/ 
trojanhorseboyer.pdf 

6 According to recent news reports, a Kansas City man found out when he tried to purchase 
a car that his Social Security Number had been used by one of the suspected 9/11 hijackers’ 
associates still at large. “Man Trying To Buy Car Finds Out 9/11 Terrorist Took ID,” Omaha 
News Channel, 21 April 2004, last accessed at http://www.theomahachannel.com/news/3026399/ 
detail.html on 13 June 2004. Further, one of the associates of the 9/11 hijackers, Lofti Raissi, 
had been reported to be using the Social Security Number of a long-dead New Jersey woman, 
suggesting one reason that the bill’s protections for the SSNs of the deceased should be in- 
creased [See Title I, Section 101, exception VII of HR 2971 and Section 107(c)(2) of HR 2971]. 
Of course, nearly all the hijackers had one or more valid or invalid SSNs. See testimony of So- 
cial Security Administration Inspector General James Huse before the House Judiciary Com- 
mittee, 25 June 2002, at http://www.house.gov/judiciary/huse062502.htm Also see the 8 Novem- 
ber 2001 Joint Hearing on the Social Security Administration Death Master File of the Ways 
and Means Committee Subcommittee on Social Security and the Financial Services Oversight 
and Investigations Subcommittee archived at http://financialservices.house.gov/hear- 
ings.asp?formmode=detail&hearing=83 
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phone. It also adds new safeguards when obtaining a Social Security Card, to pre- 
vent fraudulent use and protect the integrity of the Social Security Number system. 
Your bill also increasing criminal penalties for misuse of the SSN. We offer sugges- 
tions below to narrow the exceptions provided in the bill to better achieve its pur- 
pose. 

Any legislation enacted should be simple, based on Fair Information Practices, 7 
and contain as few loopholes and exceptions as possible. It is critical that new legis- 
lation not preempt or roll back existing privacy protection under either the Gramm- 
Leach-Bliley Act (GLBA) regulations 8 or the Shelby drivers’ privacy amendments. 9 
We urge you to resist business demands for exceptions and loopholes. You should 
especially challenge their specious arguments that so-called business-to-business 
uses will not pose privacy risks. 

Unless credit bureaus and others are weaned from their over-reliance on the So- 
cial Security Number as a unique identifier, we will not succeed in protecting the 
SSN from misuse. 

In addition to the problems created by theft of the SSN, its use in the credit sys- 
tem as a supposed unique identifier is flawed and leads to inaccuracy in credit re- 
porting due to errors in data entry. Unlike credit card numbers, which contain a 
check-sum digit reducing data entry error rates, SSNs can be easily entered with 
transposed digits or other errors. Mistakes in credit reports lead to consumers either 
being denied credit or paying too much for credit. 

(1) Principles of Social Security Number Protection: Simplicity, With Few, If Any Ex- 
ceptions and Loopholes 

Privacy expert Robert Ellis Smith, the publisher of Privacy Journal and author 
of “Social Security Numbers: Uses and Abuses” (May 2001) has proposed a simple 
Social Security Number protection scheme. 10 Your bill tracks much of it closely. 
Here is Smith’s proposal, with his explanations in brackets: 

1. “It shall be illegal to buy or sell the Social Security number of a person.” [This 
is the source of much identity theft; it is always a secondary use of the SSN; 
and it is inconsistent with using the SSN as an AUTHENTICATOR of personal 
identity.] 

2. “No person shall be required to provide a Social Security number on an appli- 
cation for credit or on a request for a copy of one’s own credit report under 
the Fair Credit Reporting Act.” [The FCRA merely requires satisfactory proof 
of identity to see one’s own credit file. Use of SSNs to make a match between 
a requested credit report (by a credit grantor) and a credit report in a credit 
bureau’s system has been the cause of confusion for credit grantors, night- 
mares for consumers, and identity theft. If credit bureaus did not rely on SSNs 


7 Fair Information Practices are discussed in numerous contexts in the Congress today. Unfor- 
tunately, many industry-supported bills and nearly all industry “studies” seek to dumb-down the 
comprehensive Fair Information Practices to unacceptable levels. As originally outlined by a 
Health, Education and Welfare (HEW) task force in 1973, then codified in U.S. statutory law 
in the 1974 Privacy Act and articulated internationally in the 1980 Organization of Economic 
Cooperation and Development (OECD) Guidelines, information use should be subject to Fair In- 
formation Practices. Noted privacy expert Beth Givens of the Privacy Rights Clearinghouse has 
compiled an excellent review of the development of FIPs, “A Review of the Fair Information 
Principles: The Foundation of Privacy Public Policy.” October 1997. http://www.privacyrights.org/ 
AR/fairinfo.html The document cites the version of FIPs in the original HEW guidelines, as well 
as other versions. 

8 The GLBA created a category of protected “non-public personal information.” The final GLBA 
financial privacy rules issued by 7 federal financial agencies defined Social Security Numbers 
as non-public personal information (NPPI). A key provision is that the transfer of Social Secu- 
rity Numbers from financial institutions to credit bureaus is only allowed for regulated Fair 
Credit Reporting Act purposes (eg, for use in a credit report) but not for unregulated purposes, 
where the credit bureau would be considered a non-affiliated third party. The agencies correctly 
interpreted the law to prevent the sharing of Social Security Numbers unless consumers are 
given notice of the practice and a right to opt-out. 

9 Senator Shelby’s 2000 amendments to the Driver’s Privacy Protection Act were incorporated 
as Section 309 of the Transportation Appropriations bill (PL 106-346) signed by the President 
23 October 2000. The amendment requires states to obtain express consent of drivers before the 
sharing or selling of a driver’s “highly sensitive personal information,” including Social Security 
Number, photograph, image, or medical or disability information. In 1999, Shelby had incor- 
porated these provisions into law as part of the Appropriations bill, but only for one year, while 
the 2000 amendment amends the DPPA itself. In 2000, the Supreme Court upheld the constitu- 
tionality of the DPPA in Reno vs. Condon. 

10 See the Privacy Journal website for more information. Smith’s latest book is “Ben Franklin’s 
Web Site: Privacy And Curiosity From Plymouth Rock To The Internet” http:// 
www.privacyjournal.net/ 
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to make a match, 80 percent of identity theft would cease. There is a long list 
of case law to support the need for this provision.] 

3. “No person shall be compelled or coerced into providing a Social Security num- 
ber for any transaction unless there are income-tax consequences in the trans- 
action or there is relevance to Social Security, Medicare, or Medicaid benefits. 
No person shall be compelled or coerced into providing a Social Security num- 
ber on an application of employment until there has been a firm offer of em- 
ployment. Any application for employment shall state that the request for the 
Social Security number prior to a firm offer of employment is voluntary.” [This 
would essentially freeze demands for Social Security numbers in a way least 
disruptive to organizations currently relying on SSNs. It would tie demands for 
Social Security numbers to the two original purposes (SSA administration and 
federal taxes) two uses that are at least anchored in long-standing law. Placing 
SSNs on job-application forms increases the risk of exposing them to fraudu- 
lent users of SSNs.] 

4. “No institution of higher education or elementary or secondary school shall use 
a student’s Social Security number as a student identification number.” [An 
alarmingly high number of identity theft frauds originated from SSNs taken 
from universities. Deterring school systems from using the SSNs as a student 
ID number will permit parents to delay labeling their children with numerical 
IDs.] 

(2) Principles of Social Security Number Protection And Analysis of HR 2971 

U.S. PIRG concurs with the detailed testimony today from the Electronic Privacy 
Information Center (EPIC). We believe that the most effective way to protect Social 
Security Numbers would be to enact simple, straightforward legislation that reins 
in the widespread non-statutory uses of the Social Security Number as an identifier 
in the private sector. 11 

(A) Principal One: No Coercion By Businesses 

The Social Security Number was originally intended for Social Security purposes. 
Its federal government uses have been expanded to tax and Medicaid purposes. No 
private sector business should be able to insist that a consumer provide an SSN as 
a condition of doing business, unless that firm is required to collect the SSN for offi- 
cial government purposes. Your bill (Section 109) makes coerced demand (refusal to 
do business) of a consumer’s Social Security Number an unfair trade practice under 
Section 5 of the Federal Trade Commission Act. No one should have to give up his 
or her SSN to rent a video, as you have long pointed out. 12 

(B) Principal Two: Close The Credit Header Loophole 

Your bill (section 108) also incorporates provisions long championed by its co- 
sponsor Rep. Kleczka closing the so-called credit header loophole. Under an egre- 
gious 1994 decision of the Federal Trade Commission, consumer reporting agencies 
(credit bureaus) had developed a thriving business selling Social Security Numbers 
outside the Fair Credit Reporting Act 13 (FCRA), without consumer consent. 

Credit headers include information ostensibly not bearing on creditworthiness and 
therefore not part of the information collected or sold as a consumer credit report. 
The sale of credit headers involved stripping a consumer’s name, address, Social Se- 
curity Number and date of birth from the remainder of his credit report and selling 
it outside of the FCRA’s consumer protections. Although the information, marketing 
and locater industries contend that header information is derived from numerous 
other sources, in reality, the best source of credit header data is likely financial in- 
stitution information, which is updated regularly. 


11 Ideally, such a bill would also narrow many of the government use exceptions that have 
been established over the years allowing the Social Security Number to be used as an identifier 
and matching element for secondary purposes unrelated to Social Security. 

12 This is essentially extending Section 7 of the Privacy Act of 1974, Public Law 93-579 (which 
protects the Social Security Number in government uses with an anti-coercion provision) to the 
private sector. 

13 15 USC 1681 et seq. See the FTC’s version of the FCRA as amended by the FACT Act at 
http://www.ftc.gov/os/statutes/fcrajump.htm 
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While the DC Circuit, U.S. Court of Appeals, has upheld the Gramm-Leach-Bliley 
Act privacy regulations 14 and thereby narrowed the credit header loophole, 15 more 
needs to be done. The regulations do however allow the harvesting of SSNs for sec- 
ondary purposes if the law’s notice and opt-out provision is complied with. A recent 
Washington Post 16 story notes that the credit bureaus are now adding a boilerplate 
notice to requests for credit reports or subscriptions to their over-priced credit moni- 
toring services, which could allow them to bypass the court restrictions: 

“And the other “gotcha:” “There is an even higher price,” the reader says. 
“Reading the privacy disclosure information, I was surprised that you were agree- 
ing to let them use everything in your credit report for marketing — by them, by 
their affiliated companies and by others.” 

Bad enough that many privacy policies state that they’re going to share your 
name, address, phone, Social Security number, birth date, even credit-card num- 
ber for marketing purposes — resulting in more junk mail, spam and telemarketing 
calls (yes, even if you signed on to the federal Do Not Call Registry, because now 
you have a business relationship). 

In 1994, the Federal Trade Commission had granted an exemption to the defini- 
tion of credit report when it modified a consent decree with TRW (now Experian). 
The FTC said that certain information would not be regulated under the Fair Credit 
Reporting Act. The so-called credit header loophole allows credit bureaus to separate 
a consumer’s so-called header or identifying information from the balance of an oth- 
erwise strictly regulated credit report and sell it to anyone for any purpose. 

(C) Principal Three: Restrict The Sale, Purchase and Display of the SSN 

Your bill imposes important restrictions on the sale, display and use of the Social 
Security Number. For example the bill bans display on government-issued checks, 
on government or private sector employee and benefits ID cards and on drivers’ li- 
censes, and generally bans display, purchase or sale in the private sector. Your bill 
restricts disclosure to and use of SSNs by prison labor, following the well-publicized 
Metromail scandal. It also adds new safeguards when obtaining a Social Security 
Card, to prevent fraudulent use and protect the integrity of the Social Security 
Number system. Your bill also increases criminal penalties for its misuse. 

(D) Principal Four: Not All Social Security Number Bills Are Created Equal 

In previous Congresses, many worthy bills, in addition to your own, most recently 
HR 4857 (106 th ) and HR 2036 (107 th ), have been proposed by privacy champions. In 
the 107th Congress, meritorious proposals included HR 1478 (Kleczka), HR 220 
(Paul) and S 324 (Shelby) to protect Social Security Numbers. Among other Social 
Security Number bills with positive features in the 106th Congress was a proposal 
by Rep. Markey (HR 4611). 

However it is important to note that some well-intentioned privacy bills may actu- 
ally increase the risk of sale or display of Social Security Numbers. For example, 
in the 106 th Congress, the most prominent Senate proposal to ostensibly protect So- 
cial Security Numbers actually would have expanded commercial availability of So- 
cial Security Numbers. Originally intended to serve as a legacy for Amy Boyer, the 
first known victim of an Internet stalker, the Amy Boyer Law, 17 as very nearly en- 
acted into law, 18 was actually a Trojan Horse and would have expanded commercial 


14 On 16 July 2002, the DC Circuit of the U.S. Court of Appeals, Case No. 01—5202 [See http:// 
laws.findlaw.com/dc/015202a.html] upheld an April 2001 U.S. Court DC District ruling (Trans 
Union LLC v. Federal Trade Commission, Civil Action No. 00—2087, see http:// 
www.dcd.uscourts.gov/00-2087.pdf) (the case now known as Trans Union II, consolidating Trans 
Union vs. FTC and IRSG vs. FTC) that the privacy rules issued under GLB are constitutional. 
[In Trans Union I vs. FTC the DC Circuit had upheld at FTC order that unregulated credit 
headers could not include dates of birth because of their use in credit scoring models and there- 
fore, in credit decision-making. That case also upheld the constitutionality of the FCRA and that 
privacy protection serves an important government purpose. See (No. 00-1141, 13 April 2001, 
(cert denied, 10 June 2002 by Supreme Court), Trans Union I vs. FTC, http://laws. findlaw.com/ 
dc/00 1141a.html 

15 For a discussion of the credit header loophole and the treatment of the SSN as protected 
non public personal information, see the GLBA Privacy Rule at pages 80-83, Federal Trade 
Commission, 16 CFR Part 313, Privacy Of Consumer Financial Information, Final Rule, avail- 
able at http://www.ftc.gOv/os/2000/05/glb000512.pdf 

16 See Oldenburg, Don, “Free Credit Reports That Cost You Your Privacy”, The Washington 
Post, 17 Feb 04. 

17 See PIRG’s archived fact sheet at http://www.pirg.org/consumer/trojanhorseboyer.pdf 

18 The Amy Boyer Law, introduced as S. 2554, (Gregg, 106th) was incorporated as Section 626 

into the Commerce-Justice-State Appropriations (HR 4690 RS) and passed into law as Section 
635 of HR 5548, which was included in HR 4492 as sent to the President, but then was re- 

Continued 
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loopholes for obtaining Social Security Numbers, failed to protect Social Security 
Numbers on public documents and also would have preempted stronger state pri- 
vacy laws. Subsequent proposals from the Amy Boyer Law’s chief sponsor, Senator 
Gregg, and Senator Feinstein, have been better, but still deficient compared to your 
approach. 19 

(3) Suggestions To Improve HR 2971: 

We concur with EPIC’s detailed recommendations to strengthen the bill and nar- 
row its exceptions. In particular, we agree that the Congress should limit the Title 
I exceptions for governmental sale of the SSN. Specifically, we recommend that sub- 
section (V), which allows unlimited sale of SSNs to thousands of credit reporting 
agencies (CRAs), be removed from the bill. This exception is too broad and allows 
unrestricted transfers of government records containing social security numbers to 
CRAs, possibly for purposes unrelated to regulated credit reporting, including direct 
marketing. If it remains, it should be re-drafted in the manner of the credit header 
section, Section 109, which would only allow the use of the SSNs so provided for 
provision in a regulated credit report, not for any other purpose. 

Second, as EPIC describes, additional procedural safeguards should be added to 
restrict the Attorney General’s Section 102 prerogatives in granting additional sale 
and display exceptions. These include addition of a public comment period to the 
rulemaking, eliminating the “undue” qualifier and adding the crime of identity theft 
as a risk factor, and requiring any entity that gains use of the SSN through an ex- 
ception to use technical means, such as encryption, to protect the SSN. 

We also concur with EPIC that section 104 should also prohibit states from encod- 
ing the SSN on magnetic strips, barcodes, or smart cards on the driver’s license, as 
we are aware that while some states do not print the SSN on the card, they may 
embed the identifier digitally on the card. 

In addition, as we have pointed out above, unless steps are taken to wean the 
private sector of its over-reliance on the SSN, it will continue to use it. Therefore, 
we concur with EPIC that exceptions should be for limited and specific time dura- 
tions. If the committee believes it is necessary to extend any exceptions at all allow- 
ing continued non-statutory collection of Social Security Numbers by the private sec- 
tor, which has unfortunately come to depend on the Social Security Number as a 
crutch, then the committee should include technology-forcing time limits on private 
uses so that firms are forced to develop more accurate alternatives that do not pose 
the secondary use problems of continued use of the Social Security Number, which 
was originally intended only for Social Security and certain tax purposes. Expect the 
business community to argue that business-to-business uses are both necessary and 
protective of the SSN. Neither claim is true. 

Conclusion 

We want to thank you, Mr. Chairman, for your leadership on these issues and 
for offering us the opportunity to present our views on the need for strong privacy 
protections to protect Social Security Numbers from misuse. We look forward to 
working with you on this and other matters to guarantee the privacy of American 
citizens. Restricting the widespread availability of Social Security Numbers is one 
of the most important solutions to the identity theft epidemic. It also brings the use 
of SSNs more closely under the limited use principles embodied in the Fair Informa- 
tion Principles. 


Chairman SHAW. Thank you. It wasn’t too long ago this Com- 
mittee had a hearing, and a military officer had undergone the 
same problem. The identity thief had taken his identity and SSN 


scinded on the same day by language reversing its effect included in the Conference Report on 
HR 4577, the Consolidated Appropriations Act, (Labor-HHS Approps). Section 213 of HR 4577 
amends HR 5548 by deleting a number of sections of HR 5548. Section 213(a)(6) of HR 4577 
strikes the Amy Boyer Law (Section 635 of HR 5548). See page H12261 of the Congressional 
Record for 15 Dec 00. 

19 For example, under the law enforcement exception in S 848 (Feinstein, 107 th ) collection of 
delinquent child support would be a “law enforcement” purpose. Does that extend the exception 
to allow any private firm collecting child support to take advantage of the exception? It appeared 
to do so, despite well-documented circumstances where some private child support collection 
firms have abused debt collection laws. See “Problems At Child Support, Inc., Complaints In- 
crease For Specialized Collection Firms” 18 May 2000, Washington Post, Caroline E. Mayer and 
Jacqueline Salmon. 
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and purchased a Jeep. On further reflection, he all of a sudden re- 
alized that, also, his Social Security was his serial number that 
was required on the back of the check at the PX. So, you never 
know how many hands these things are going to go through; and, 
Mr. Ladd, we have got a lag time in the bill of 2 years in order 
to get to conformity. As long as public documents are public docu- 
ments, and, of course, these court files have to stay open to the 
public and particularly land records. 

I practiced law for many years before coming to Congress. I can’t 
remember a single time except in an estate situation where I had 
to inquire of the client of his SSN. Twenty some years can fog your 
memory, but I can’t remember back then we ever needed them or 
wanted them, and that is back when we tracked land titles with 
abstracts instead of doing it online. We didn’t know what online 
meant. 

Mr. LADD. We would concur with that, that there is little pur- 
pose from the land records custodian’s point of view for the inclu- 
sion of the SSN. However, because of some of the difficulties of 
identifying the correct Robert Jones, and in the land title business 
as well, that has become added to the record more and more fre- 
quently. We object to it, but we have no authority to refuse the 
record. 

Chairman SHAW. My brother’s name is John Shaw. Clay Shaw 
is not a very common name, unless you go to New Orleans. John 
Shaw is a common name. We own property together, and every 
time there is a title search his name pops up with about six judg- 
ments against it, which we cure with affidavits. We don’t seem to 
have a problem with that because, of course, he doesn’t have any 
judgments against him, but it is a common name. Still we have al- 
ways done it without putting any SSNs on the record; and, quite 
frankly, I am not sure that would separate him from someone with 
a similar name because I don’t recall the SSN ever being on a final 
judgment that was put on record. 

Mr. LADD. Will that vary from jurisdiction to jurisdiction and 
then from financial institution to financial institution. 

Chairman SHAW. You do have a problem as far as your State 
law is concerned? I think Mr. Cate, you spoke or one of you spoke 
about State rights. Either Buenger or Cate, I can’t remember which 
one. The SSN is a Federal number issued by the Federal Govern- 
ment, and I don’t see any States’ rights problem in limiting the dis- 
play of that. Ms. Foss, I wanted to go just a little further into your 
case. You certainly went through a nightmare; and, fortunately, the 
perpetrator showed up and was prosecuted and now is, I assume, 
still serving time in jail. 

Ms. FOSS. The special agent with the Social Security Inspectors 
Office said that they couldn’t track whether or not she was still in 
jail. So, they didn’t know at this point in time. 

Chairman SHAW. Well, we don’t lose people in jail. Even in 
Baghdad we know who is in the can. I would think somebody could 
track that down. Was it in a Federal penitentiary? Or was it State? 

Ms. FOSS. She was working out of Mail Boxes, Etc. on Wisconsin 
Avenue in D.C., so I believe it was the D.C. District Court that 
handled it. 

Chairman SHAW. Do you live here in the District? 
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Ms. FOSS. I never lived in the District. I have lived in Maryland. 
At the time this happened to me, I was in Pennsylvania; and I 
never had anything stolen that I know of. 

Chairman SHAW. How long ago was it? 

Ms. FOSS. It was 1999 when I discovered it, and she had been 
going at it for about 6 months. 

Chairman SHAW. Yes, I guess she is probably out. I hope she 
didn’t write it down somewhere. 

Ms. FOSS. I hope she forgets everything. 

Chairman SHAW. You are smart to keep track of your record, 
because that stuff can pop up again. One of the terrible things with 
identity theft is once you get into that cycle you are very liable to 
get hit again. So, it is very important. I can see that you all dis- 
agree in a much more civil manner than we do here in the Con- 
gress, and I congratulate you. We very much appreciate your point 
of view. I am going to give the other Members of this Committee 
an opportunity to submit some questions which I intend to also 
submit to you in writing, and we would appreciate your answering 
those questions, and we will make that part of this record. Thank 
you so much for your time. The problem with the Members not 
being here is that the hearing went actually longer than we 
thought, plus we had an interruption of almost an hour in the mid- 
dle of it, which got schedules all off kilter. Thank you. This hearing 
is adjourned. 

[Whereupon, at 1:54 p.m., the hearing was adjourned.] 

[Questions submitted from Chairman Shaw to Mr. Beales, Mr. 
O’Carroll, Ms. Bovbjerg, Mr. Maxwell, Mr. Ladd, Mr. Hoofnagle, 
Mr. Mierziwinski, Mr. McGuinness, Mr. Buenger, Mr. Cate, and 
their responses follow:] 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Howard Beales, III 

Question: You mentioned that the Gramm-Leach-Bliley Act (GLBA) re- 
stricts financial institutions from sharing SSNs with unaffiliated busi- 
nesses. When the FTC issued the final rule on privacy under GLBA, did you 
anticipate a greater level of protection for SSNs than has actually oc- 
curred, especially with regard to SSNs in credit headers? How has actual 
practice differed from what the FTC envisioned at that time? Would you 
agree we need stronger protection for SSNs? 

Answer: When considering the need for greater protections for SSNs, it is impor- 
tant to keep in mind the reason that SSNs are valuable to identity thieves. SSNs 
are crucial to the proper functioning of our financial system. In particular, they are 
used by credit bureaus to match consumers to the appropriate credit information 
and are widely used by businesses to identify consumers. Thus, in a real sense, ac- 
cess to SSNs by legitimate users is an important tool in combatting identity theft. 
In my view, any restrictions on SSNs should be carefully tailored to balance the 
need to keep SSNs out of the hands of those who might use the information fraudu- 
lently with the need for businesses to have sufficient information — including SSNs — 
to spot fraud and attribute information to the right person. The best approach to 
achieving this balance is to limit access to SSNs to those purposes that are legiti- 
mate. This is the model used in other successful federal privacy laws, such as the 
Fair Credit Reporting Act, which allows information to flow without restriction to 
credit bureaus, who then may only disclose a credit report for a “permissible pur- 
pose” as specified in the FCRA. Any further regulation of SSNs should follow this 
same model. 

With respect to the Gramm-Leach-Bliley Act, as discussed in the Commission’s 
testimony, the GLBA Privacy Rule imposes certain restrictions on the disclosure of 
information collected by credit bureaus from financial institutions, including SSNs 
and other identifying information about consumers (sometimes called “credit head- 
er” information). Prior to the GLBA’s passage in 1999, the disclosure of this infor- 
mation was not regulated under Federal law (including the Fair Credit Reporting 
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Act, which generally does not cover identifying information). Although I was not at 
the Commission when the GLBA Privacy Rule was enacted, it was likely anticipated 
that the disclosure of SSNs would be restricted under GLBA to a greater extent 
than existed prior to its passage. At the same time, it was recognized that GLBA 
did not place comprehensive restrictions on the sharing of SSNs. For example, 
GLBA covers only nonpublic personal information obtained from financial institu- 
tions, and is not retroactive (and therefore does not limit the sharing of information, 
including SSNs, that were collected prior to July 1, 2001). 

With certain exceptions, such as for credit reporting, fraud prevention, and law 
enforcement, GLBA prohibits sharing of information to nonaffiliated third parties 
unless the consumer has been given a chance to “opt out.” The Privacy Rule pro- 
hibits redisclosure of information received under an exception for purposes other 
than to carry out the activity covered by the exception. In practice, it appears that 
credit bureaus are redisclosing credit header information — including SSNs — for 
credit reporting purposes as well as for other purposes listed under certain GLBA 
exceptions, such as fraud prevention or law enforcement. See 16 C.F.R. §313.14-.15 
(2000). In my view, the Rule seems to assume that information will be disclosed for 
one purpose, but nothing in the rule expressly prohibits sharing information for 
more than one purpose, and it is unclear whether there is a statutory basis for such 
a prohibition. This broader interpretation has the result in many cases of furthering 
important policy goals, such as combating fraud, assisting law enforcement, ensur- 
ing public safety, and complying with judicial process. At the same time, it is impor- 
tant that the credit bureaus take care not to redisclose credit header information 
beyond the bounds of the GLBA exceptions. 

Question: Do you agree with Mr. Fred Cate’s interpretation of the FTC- 
sponsored Synovate survey’s results, indicating the statistics prove com- 
mercial or public records are not the primary sources identity thieves use 
to obtain SSNs? 

Answer: The Synovate survey indicated that the largest category of identity-re- 
lated crimes within the preceding year involved the misuse of existing credit cards, 
which most likely can be committed without the victim’s SSN. In those crimes 
where it is more likely that SSNs are used, such as when new accounts are opened 
or other frauds committed in the victim’s name, it is difficult for victims of identity 
theft to know exactly when, where, how and by whom their personal information 
was compromised. Thus, the survey found that only 34 percent of victims who had 
new accounts opened in their name or whose information was used to commit other 
frauds (“Victims of New Accounts & Other Frauds’ ID Theft”) knew who had mis- 
used their personal information. Of these 34 percent who knew the identity of the 
thief, 53 percent said it was a family Member or relative; 12 percent said it was 
someone who worked at a company or financial institution who had access to the 
victim’s personal information; and 10 percent of victims who could identify the cul- 
prit said it was a friend, neighbor, or in-home employee. 

Further, the survey found that 58 percent of all victims of “New Accounts & Other 
Frauds” ID Theft indicated they knew how the identity thief obtained their per- 
sonal information. Of that 58 percent, about 35 percent said their information was 
lost or stolen; 19 percent of those said their personal information was obtained dur- 
ing a transaction, such as a purchase; and 46 percent of those who knew how the 
information was obtained said the thief used “other” means of access (e.g., access 
via a family Member or from printed checks or bills. 

Not surprisingly, it is difficult to assess from these findings how and from where 
SSNs are obtained. Some of the information may have come from commercial 
records, or when the thief works for a company with the information, or in the 
course of a transaction. The survey results do not identify public records as a major 
source of information, but it is important to keep in mind that about 40 percent of 
victims of the most serious form of identity theft, the opening of new accounts, sim- 
ply do not know how the thief obtained the information. Thus, the survey does not 
allow us to draw firm conclusions about the sources of SSNs for identity thieves. 

Question: The Salt Lake Tribune reported this month that identity 
thieves are increasingly using their own names and somebody else’s SSN 
to obtain credit. Can you confirm this? If yes, how could it happen? Don’t 
credit bureaus check to see whether an individual’s name and SSN match 
and refuse credit if it doesn’t? The article also mentioned that if the name 
and SSN do not match, the credit bureau creates a “subfile.” The subfile af- 
fects the victim’s credit, but the victim cannot obtain a copy of the subfile 
when they request a copy of their credit report, so they cannot clear up 
the identity theft. Is this true? 

Answer: The FTC staff is currently attempting to gain a fuller understanding of 
the facts and circumstances underlying the article’s allegations. To that end, FTC 
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staff is following up with the government officials mentioned in the article to learn 
more about this issue. We have no information on the prevalence of this type of 
identity theft or whether it is increasing. The article does not disclose, and it may 
not be possible to determine, how the illegally used SSNs were obtained. 

With respect to the types of information used by credit reporting agencies in their 
matching processes and information provided to creditors and consumers, Nation re- 
quires the FTC to study the methods and efficacy of credit reporting agency efforts 
in matching information to ensure that a consumer is the correct individual to 
whom a consumer report relates before releasing a consumer report to a user of that 
report. See Pub. L. No. 108-396, § 318 (2003). I anticipate that we will learn more 
about this issue in the course of our work on this study, which is to be completed 
by December, 2004. At this time, we do not know of any way that a “subfile” could 
impact a consumer’s credit report or credit score without also being disclosed to the 
consumer upon request. 

Question: This Subcommittee has heard from a number of victims of 
identity theft. A common, and frustrating, theme is that after individuals 
discover the theft and report it to credit bureaus and financial institutions, 
they continue to be victimized by identity theft. How can this continue to 
occur, given the anti-fraud programs the industry cites? In your judgment, 
is the private sector doing enough to combat identity theft and assist its 
victims? Are there more effective ways to assist victims of identity theft to 
correct their credit histories? 

Answer: Victims of identity theft often must navigate through various bureau- 
cratic procedures to recover from the crime. Nation has established a number of 
measures designed to simplify this process and reduce the incidence of identity 
theft. Identity theft account blocking will give victims certain rights to ensure that 
fraudulent information gets removed promptly from their credit reports, thereby 
preventing distortion of their credit records. Creditors or other businesses must give 
victims copies of applications and business records relating to the theft of their iden- 
tity, which can assist victims in proving that they are, in fact, victims. 

Other measures are designed to prevent or mitigate identity theft. The national 
fraud alert system will require creditors to take certain steps to verify the identities 
of consumers who have placed fraud alerts on their consumer reports before grant- 
ing credit in the consumer’s name. By means of the “Red Flag” rulemaking, finan- 
cial institutions and creditors will have to analyze identity theft patterns and prac- 
tices so that they can take appropriate action to prevent the crime. The Disposal 
of Consumer Report Information and Records rule will help to ensure that sensitive 
consumer information derived from consumer reports, including Social Security 
numbers, is disposed of properly. 

We expect that these provisions should significantly improve victims’ ability to re- 
cover from their identity theft with a minimum of trouble and help to reduce the 
occurrence of identity theft. It should be noted that the majority of these provisions 
will not take effect until December 1, 2004. At that time, we will be able to begin 
assessing their impact. 

Generally, the private sector has been responsive in addressing particular prob- 
lems in the system that can facilitate identity theft as those problems come to light. 
Combating this crime requires an ongoing effort by both the public and private sec- 
tors to identify new vulnerabilities and to implement new measures to protect 
thieves from exploiting them. 

Question: If a private entity — for example, a consumer reporting agency, 
health care organization, or information reseller — has an individual’s SSN 
in its possession, and this information is used in an identity theft or fraud, 
should that entity be held strictly liable for any harm done? Please com- 
ment on the advantages or disadvantages of this idea, as well as its feasi- 
bility and potential effectiveness in combating identity theft. 

Answer: As demonstrated by the Synovate survey (see Q. 2 above), it is not often 
evident to victims how identity thieves obtain SSNs. Thus, a strict liability standard 
may not be the most appropriate means of curbing misuse of SSNs. A number of 
Federal laws mandate significant information security practices, which can protect 
SSNs from improper disclosure and use. Among these laws, the FCRA requires that 
consumer reporting agencies not disseminate consumer reports to entities unless 
they meet a statutorily permissible purpose to use the report. Nation amendments 
also require anyone with consumer information derived from consumer reports to 
dispose of that information properly. GLBA requires that financial institutions de- 
velop a program for taking reasonable steps to protect sensitive customer informa- 
tion and ensure that the program evolves to keep pace with new fraud trends. 
HIPAA and the Driver’s Privacy Protection Act also require protection of sensitive 
information. I appreciate that certain entities or consumers are not covered by these 
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laws (e.g., retail customers, employers). The Commission, however, can and has 
brought enforcement actions for security breaches or potential security breaches 
under section 5 of the FTC Act (i.e., In the matter of Guess?, Inc. and Guess.com, 
Inc., http://www.ftc.gov/os/2003/06/guessagree.htm and In the matter of Microsoft 
Corp., http://www.ftc.gov/os/2002/12/microsoftdecision.pdf). 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Patrick O’Carroll 

Question: You mentioned that one terrorist suspect in a case your agents 
helped investigate had two Social Security cards in his possession at the 
time of his arrest. Were they SSNs he obtained from the SSA using fraudu- 
lent documentation? Were they fake SSN cards? Were they cards he ob- 
tained or stole from somebody else? 

Answer: At the time of his arrest, the subject had two genuine Social Security 
cards in his possession; one belonged to the subject, and the other belonged to the 
brother of the subject. The investigation revealed that both individuals were born 
in the United States. The SSNs/cards were legitimately obtained from SSA, and 
both the subject and his brother were properly enumerated. 

Question: Are there other provisions you recommend for inclusion in the 
Social Security Number Privacy and Identity Theft Prevention Act of 2003, 
H.R. 2971, to further prevent terrorists from obtaining or using SSNs to 
abet their heinous crimes? 

Answer: We recommend reviewing the implications of releasing information on de- 
ceased individuals and also recommend examining the potential for increased pro- 
tection of this information. 

The SSA should be permitted to cross-verify Social Security numbers against gov- 
ernment and private databases to identify and fix inaccuracies which would limit 
the spread of false identification and SSN misuse. We also encourage more data 
matching opportunities under longer term agreements, some of which may require 
a change in the current legislation. 

Question: You mentioned a couple of cases where SSNs were fraudulently 
obtained for nonexistent children. How did this happen? 

Answer: The one case mentioned involved an elaborate conspiracy that included 
one man and eleven women. The women would visit Chicago and surrounding sub- 
urban area Social Security offices to apply for Social Security numbers for their sup- 
posedly newborn children. These individuals applied for the SSNs using counterfeit 
Illinois birth certificates, Department of Health immunization records and bogus 
employment identifications provided to them by the ringleader. 

The names used on all the Social Security applications belonged to undocumented 
Nigerian citizens who paid the ringleader up to $5,000 each for a valid Social Secu- 
rity number, Illinois driver’s license and U.S. Passport. The suspects would then 
visit local Social Security offices a month or two later with a second counterfeit Illi- 
nois birth certificate and their new identification to request a correction of their 
date of birth on Social Security records. 

Question: Are the provisions in H.R. 2971 that your office recommended, 
which would require independent verification of all birth documents and 
improvements in the enumeration-at-birth process, sufficient to help pre- 
vent this from happening? 

Answer: We believe that provisions 201 and 202 of HR 2971 will reduce the ease 
with which criminals may fraudulently obtain SSNs for non-existent children. A re- 
cent audit and numerous investigations indicate that because SSA does not verify 
birth records for children under the age of 1, criminals have inappropriately ob- 
tained SSNs for nonexistent children using invalid birth records. Accordingly, we 
recommended that the Agency close this loophole by verifying the authenticity of 
birth records presented by all U.S. citizens applying for original SSNs. We are cur- 
rently awaiting the Agency’s response to our recommendation. However, we com- 
mend the Subcommittee for taking proactive measures by including provision 201 
in the proposed legislation — making it essential that SSA ensure the legitimacy of 
birth records submitted with original SSN applications. 

Regarding section 202 of HR 2971, related to SSA’s enumeration at birth program, 
we support the Committee’s proposal that SSA tighten controls within this program. 
While our 2001 report Audit of the Enumeration at Birth Program (A-08-00-10047) 
concluded that generally the program was providing accurate and reliable data for 
SSA’s enumeration of newborns, we recommended that the Agency implement addi- 
tional controls to prevent those with criminal motives from submitting SSN applica- 
tions for nonexistent children. The Agency has explored this idea and taken some 
action on our recommendations. However, we believe the provisions outlined in sec- 
tion 202 of the Social Security Number Privacy and Identity Theft Prevention Act 
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of 2003 would provide further incentive for the Agency and participating hospitals 
and States to implement our proposed corrective actions. 

Question: You mentioned a case involving fraudulent acquisition of SSNs 
for unauthorized immigrants. Do you know what the unauthorized immi- 
grants were doing with the fraudulently obtained SSNs? You stated the 
penalty some members of the scheme received was 2 years in prison. 

Answer: Actually, certain subjects in the case mentioned above (Question 2) were 
given 2 year sentences. Other subjects in this case, who conspired to traffic in unau- 
thorized immigrants, were sentenced as much as 71 months in prison. The fraudu- 
lent SSNs that were received by illegal immigrants were used to obtain employ- 
ment, as well as for obtaining driver’s licenses, credit cards, mortgage loans, and 
so forth. 

Question: You have recommended new and enhanced penalties for fraud- 
ulently obtaining SSNs or SSN misuse which we have included in H.R. 
2971. Are there others that are needed? 

Answer: The OIG supports SSA’s proposal requesting that the United States Sen- 
tencing Commission review and amend Federal sentencing guidelines to provide an 
appropriate penalty for any offense under sections 208, 811, or 1632 of the Social 
Security Act or any offense under 18 USC 1001 with respect to the Social Security, 
Special Veterans’ Benefits, and the Supplemental Security Income programs. A pri- 
mary purpose of sentencing guidelines is to reduce the disparity in sentencing be- 
tween defendants who commit similar crimes, section 304 of H.R. 2971 proposes to 
amend sections 208, 811, and 1632 in order to obtain enhanced penalties, in cases 
of terrorism, drug trafficking, crimes of violence, or prior offenses, but it does not 
specifically direct the U.S. Sentencing Commission to consider amending Federal 
sentencing guidelines regarding these sections. In addition, the inclusion of the in- 
creased the penalties imposed for SSA employees who are convicted of selling SSNs 
will be a good deterrent in this area. 

Question: You stated that you support cross-verification of SSNs through 
both governmental and private sector systems of records to identify and 
address inaccuracies. You said that all law enforcement agencies should be 
provided the same SSN verification services granted to employers. What 
does the SSA say regarding the proposal? 

Answer: The SSA has not yet officially responded to this OIG proposal, and there- 
fore we will defer to SSA to present its position. 

Question: Why isn’t information available from financial institutions, 
credit bureaus, and information resellers sufficient to prevent cases like 
the fraudulent home loan case you mentioned? 

Answer: Although we believe that representatives from financial institutions, 
credit bureaus and information resellers may be in a better position to respond to 
this question, we will provide the Committee with one possible reason if their infor- 
mation is not sufficient to prevent cases like the fraudulent home loan incident. Spe- 
cifically, most of these organizations currently do not have the ability to verify the 
accuracy of customer SSNs and names with SSA, the actual issuer of the number. 
Historically, the Agency has limited its verification services to employers. 

Over the past several years, our organization has been a strong proponent of ex- 
panding SSA’s authority to perform cross verifications service. Because the SSN has 
become a national identifier, we firmly believe that if the number is to be used as 
such, users should have correct information. For example, the Department of Hous- 
ing and Urban Development had the ability to verify the name of SSN of the loan 
applicant, it would have discovered that an individual was using an incorrect SSN 
(one belonging to someone else) to obtain the loan. 

Question: One of the witnesses at the hearing, Mr. Fred Cate, said that 
if we limit sale, purchase, and display of SSNs that it will affect the avail- 
ability and reliability of data for law enforcement and other vital purposes. 
Do you agree or disagree, and why? 

Answer: We believe there are alternative and reliable sources of data involving 
SSNs for law enforcement. For example, there are legal provisions that allow the 
sharing of SSN information among law enforcement agencies in appropriate cir- 
cumstances. In addition, H.R. 2971 makes appropriate exceptions for law enforce- 
ment officials in the provisions that prohibit the sale, purchase or display to the 
general public of SSNs. 

Question: If a private entity — for example, a consumer reporting agency, 
health care organization, or information reseller — has an individual’s SSN 
in its possession, and this information is used in an identity theft or fraud, 
should that entity be held strictly liable for any harm done? Please com- 
ment on the advantages or disadvantages of this idea, as well as its feasi- 
bility and potential effectiveness in combating identity theft. 
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Answer: The concept of strict liability would confer liability on the consumer re- 
porting agency, health care organization, or information reseller not based on actual 
negligence or intent to harm, but instead on the breach of an absolute duty to pro- 
tect SSNs in its possession. This strict liability would benefit fraud victims. With 
the risk of this increased liability, there would likely be more motivations for these 
organizations to better protect SSNs. At the same time, the adoption of strict liabil- 
ity may be criticized by private industry for not considering the intent of these orga- 
nizations or whether these organizations acted negligently. 

This hypothetical illustrates the need for H.R. 2971 for those organizations not 
exempt from the H.R. 2971 limitations, such as the private resellers of information. 
The H.R. 2971 approach would limit the availability of SSNs to such entities, thus 
reducing the likelihood of their fraudulent use. A more feasible alternative might 
be the creation of a private cause of action on the part of victims against an indi- 
vidual or organization that did not exercise due diligence in the handling of their 
personal information. 

Questions from Chairman E. Clay Shaw, Jr. to Ms. Barbara Bovbjerg 

Question: You mentioned during your testimony that monitoring of the 
day-to-day release of information under the restrictions imposed by the 
Gramm-Leach-Bliley Act (GLBA) is essentially an “honor system.” Could 
you elaborate on how it works? What is known about the degree to which 
businesses comply with the privacy requirements under the GLBA? 

Answer: In my testimony, I observed that generally Federal laws have controlled 
the use and disclosure of the SSN in specific industries, but that secondary disclo- 
sure by clients of these firms is generally not closely monitored. GLBA is one of the 
laws that restrict disclosure and is illustrative of the point that businesses that are 
indirectly governed by these privacy laws are expected to adhere to them, but are 
not necessarily monitored for compliance. For example, GLBA restrictions apply to 
institutions that are considered to be financial institutions under GLBA, which cov- 
ers a broad range of financial institutions. In addition, entities that receive con- 
sumers’ financial information from a financial institution under GLBA are also sub- 
jected to GLBA’s restrictions. However, companies such as some information re- 
sellers that fall outside of the purview of Federal regulators may or may not adhere 
to GLBA. However, Federal regulators enforcing GLBA compliance are not required 
to monitor entities that are not directly under their jurisdiction. 

In our work for this Subcommittee, we found that some CRAs consider themselves 
to be financial institutions under GLBA. These entities are therefore directly gov- 
erned by GLBA’s restrictions on disclosing nonpublic personal information to non- 
affiliated third parties. We also found that some of the information resellers we 
spoke to did not consider their companies to be financial institutions under GLBA. 
However, because they have financial institutions as their business clients, they 
complied with GLBA’s provisions in order to better serve their clients and ensure 
that their clients are in accordance with GLBA. 

FTC staff told us that GLBA also includes certain broad exceptions that are 
unspecific. For example, FTC officials said that they receive many inquiries from 
CRAs and information resellers concerning the application of GLBA’s exceptions, 
such as whether the exceptions apply to certain circumstances. As a result, FTC of- 
ficials said it is difficult to determine how and whether certain entities, such as in- 
formation resellers, are appropriately interpreting the exceptions. 

Question: You stated that court records are among those most often cited 
as containing SSNs in your survey on how government entities collect and 
store SSNs. Do you have any information on the percent containing SSNs 
because Federal, state, or local laws and regulations require them? 

Answer: We cannot accurately calculate such a percentage until we have complied 
and verified all survey data from our ongoing work on SSNs in public records. Our 
work will be completed in September 2004. 

Question: Some of the witnesses at the hearing asked for specific statu- 
tory exemptions from the restrictions contained in sections 101 and 107 of 
H.R. 2971, rather than relying on the Attorney General’s regulatory author- 
ity provided in section 102. In your view, is the authority provided in the 
bill to the Attorney General sufficient to address these concerns? 

Answer: H.R. 2971 would give the Attorney General discretionary authority to de- 
termine which entities could be exempted from the prohibition of engaging in the 
sale, purchase, or display of SSNs to the general public. As written, the bill provides 
for flexibility in determining which if any entities would be exempted, and offers a 
means to address concerns with such a prohibition once the law is passed that 
might not have been envisioned at the time it was drafted. Such an approach seems 
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designed to address changing circumstances rather than addressing existing con- 
cerns of specific entities. 

If present concerns are deemed valid, the only way to assure that those concerns 
are addressed is to write them into the bill prior to passage, although such exemp- 
tions would still be subject to interpretation by courts. 

Question: A witness representing the National Council of Investigation 
and Security Services requested the deletion of section 108 of H.R. 2971, cit- 
ing the usefulness of credit headers in locating witnesses, criminal sus- 
pects, estate beneficiaries, and others. What other sources of information 
could be used to locate such persons if section 108 of H.R. 2971 were en- 
acted into law? 

Answer: Credit header information matches a persons’ identifying information to 
their address, which is useful for purposes such as locating individuals. However, 
information is clearly available from other sources as well. Our current work shows 
that identifying information, such as name, addresses, and SSNs, can be found in 
public records and other publicly available information such as newspapers. In addi- 
tion, entities willing to pay a fee can purchase such data from information resellers 
who specialize in amassing personal information. 

Question: If a private entity — for example, a consumer reporting agency, 
health care organization, or information reseller — has an individual’s SSN 
in its possession, and this information is used 

Answer: Currently, identity theft victims are fully responsible for correcting prob- 
lems caused by identity thieves. For example, victims must contact the major CRAs 
to have a fraud alert placed on their credit, file a report with the appropriate law 
enforcement entities, and if credit card misuse is involved they must report the mis- 
use to their credit card company. Although private sector entities and the FTC have 
worked to lessen the burden on identity theft victims, identity theft victims can 
spend an average of 60 hours trying to resolve their problems. 

Results from a recent FTC survey show that identity theft victims feel that the 
financial community could do more to help resolve their problems. Many identity 
theft victims reported that improved follow-up and assistance by the financial com- 
munity, as they attempted to repair their records, would be beneficial. Identity theft 
victims also reported that financial institutions, including CRAs, could make greater 
efforts to monitor consumers’ account activity and notify them when unusual trans- 
actions occur. They also reported some degrees of dissatisfaction with the way CRA’s 
and credit card companies have handled their identity theft related reports. For ex- 
ample, 31% of victims were dissatisfied with all of the CRAs they contacted while 
18% were dissatisfied with all of the credit card companies to whom they reported 
misuse of their credit cards. 

CRAs, credit card companies and others are in a unique position to help identity 
theft victims resolve their problems. To the extent that these companies are made 
liable for losses, it is likely that more actions will be taken to protect SSNs and 
other personal information companies maintain. However, the benefits of assigning 
such liability to these companies must be balanced against the difficulty that these 
companies are likely to have in monitoring millions of individuals’ accounts. In addi- 
tion, holding companies responsible for identity theft victims’ financial losses may 
not reduce the amount of time these victims spend trying to resolve their problems. 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Lawerance Maxwell 

Question: You mentioned the Financial Industry Mail Security Initiative 
(FIMSI). Could you elaborate on who participates in the working group 
and the recommendations specifically made with regard to preventing use 
of SSNs? Why did the group believe a recommendation specifically dealing 
with SSNs was necessary? 

Answer: The U.S. Postal Inspection Service sponsored the Credit Card Mail Secu- 
rity Initiative starting in 1993 in response to a dramatic spike in the theft of credit 
cards. Representatives from the credit card and retail Industries attended these 
meetings which were held on a quarterly basis in WashingtonDC. 

The Postal Inspection Service decided in 2003 to expand the focus of the meetings 
to include presentations on money laundering, Internet fraud and bank fraud 
schemes. The attendee list was expanded to include both state and Federal prosecu- 
tors, investigators from local banks and credit unions, Federal and state law en- 
forcement. Working groups include the Non Received Credit Card Working Group, 
the Bust-Outs Working Group, the Bank Fraud Working Group, and the Identity 
Theft Working Group. This new expanded group meets on a semi-annual basis. One 
of the more noteworthy accomplishments stemming from the credit card initiative 
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was the credit card activation “800” number which has become an industry standard 
for security. 

The Identity Theft Working Group made recommendations dealing specifically 
with social security numbers (SSN’s) in their consumer awareness campaign. Since 
the SSN is used as a personal identifier, it is the key piece of information needed 
to conducting Identity Theft. These recommendations included memorizing your 
SSN and passwords rather than carrying the cards with you; and, if possible, do 
not use your SSN as your identifying number on your driver’s license. 

Question: You mentioned cases involving rings of identity thieves, who 
obtained lists with the victims’ names, dates of birth, SSNs, and other infor- 
mation. How easy would it be for these criminals to steal an individual’s 
identity without the SSN? 

Answer: The SSN is currently used as a personal identifier; this was never the 
intent when it was created. Without the SSN it would be much more difficult to 
take over an individual’s identity. They would not be able to access or open financial 
accounts, instant credit accounts, or even cellular telephone accounts. The SSN is 
the key component to access and individuals credit history. 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Mark Ladd 

Question: You mentioned the Property Records Industry Association’s 
participation in the Records Access Policy Advisory Committee. What rec- 
ommendations do you anticipate the Committee will make with respect to 
access to SSNs in public records? 

Answer: The final four points outlined in the written testimony that we submitted 
comprise our recommendations to date. I do not anticipate any major changes in 
these recommendations. 

Question: You suggested that the legislation be effective on a “day-for- 
ward-basis.” This recommendation has been made before and was incor- 
porated into the current bill’s language, which establishes a timeframe of 
2 years from the date of enactment for those who maintain public records 
to comply with the law. Is this enough time? 

Answer: If documents that are on file with our office prior to the effective date 
of this legislation can be posted on our websites, even if they contain SSNs, then 
2 years is more than enough time for compliance. Under this scenario, three to 6 
months would be a sufficient grace period. 

If, however, records that are already on file with our offices must have SSNs re- 
moved before they can be posted on our websites, then no length of time will suffice 
for most counties. A few large counties may be able to afford the cost of compliance, 
but most will not. Only documents presented after the effective date of this legisla- 
tion could be posted on county websites under this scenario. 

Question: You suggested giving public record keepers the authority to 
prohibit the filing of documents with SSNs, without requiring them to do 
so. Why is this important in your view, and would public records keepers 
implement such authority? 

Answer: As I noted in my written and oral testimony, the shear volume of docu- 
ments and the number of pages involved make prescriptive rejection authority ex- 
tremely difficult to manage. However, permissive authority provides land records 
custodians the necessary tool to help protect the privacy concerns of the public if 
we discover a SSN included in a document during our normal review process. 

Our members object to rejection authority being prescriptive, as do our commer- 
cial customers (title companies, abstract companies and attorneys). However, per- 
missive authority empowers us to assist the public in protecting their privacy con- 
cerns without placing an impossible task on our shoulders. 

It is my belief that most land records custodians would utilize permissive author- 
ity to protect the interests of their constituents. 

Question: You said that given the hundreds of thousands of pages of doc- 
uments a jurisdiction may receive in a year, and that the SSN could be 
placed anywhere on a document submitted by the parties involved, that re- 
sponsibility for SSN removal is more properly placed on document pre- 
parers and individual customers. If the bill were modified so that public 
record keepers were required to remove the SSN on forms they require (or 
block it from display if it is collected), but the responsibility and liability 
for removing SSNs on all other materials submitted to the court rested on 
those who file the papers, would that enable you to support this bill? 

Answer: Your proposal on this point is the most workable compromise that I have 
heard between agencies that require the SSN of necessity (such as the Court Ad- 
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ministrators testified) and those of us who receive the SSN without any desire or 
necessity for it. 

Court Administrators who require SSNs could likely adopt rules regarding how 
documents are constructed that would make day-forward redaction manageable. By 
specifying a predetermined location that SSNs are listed in documents, they could 
reduce the effort required to redact. On the other hand, the burden to remove SSNs 
from documents that do not require them is correctly placed on document drafters. 

I think PRIA members would support this proposal. 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Jay Hoofnagle and Mr. 

Edmund Mierzwinski 

Question: Do you agree with Mr. Cate’s statement at the hearing that 
knowing a Social Security number alone does not get an individual credit 
and that it is merely a quick way of locating reliable information about an 
individual that can be used to verify identity? 

Answer: Mr. Cate’s statement perfectly illustrates the problem of the Social Secu- 
rity Number (SSN) — it is used both as an identifier and as an authenticator. That 
is, some businesses use it as a record locator, a master identifier to associate and 
reference records. Other businesses use it for authentication, a process where a per- 
son proves he is who he says he is. Serious security problems are raised in any sys- 
tem where a single device is used both as identifier and authenticator. 1 It is not 
unlike using a password identical to a user name for signing into e-mail. Or like 
a bank routinely using the SSN as an account number and the last four digits of 
the SSN as a PIN for its automated teller machines. 

It is because the SSN is used as both identifier and authenticator that identity 
theft has increased in incidence and prevalence. Because the SSN is relied upon so 
heavily by business, it is the personal identifier that impostors seek in order to com- 
mit crime. Congress’ goal in addressing identity theft and privacy should seek to 
limit availability of the SSN generally and to induce businesses to rely upon alter- 
native identifiers. 

Question: Mr. Cate said that for data to be reliable, businesses and others 
must have been permitted to use SSNs all along, and that national security 
and law enforcement uses of SSNs frequently involve access to routine, in- 
nocuous data. Do you agree or disagree that prohibiting sale, purchase, 
and display of SSNs for unnecessary purposes would jeopardize use of 
SSNs for critical purposes? 

Answer: We disagree with the proposition that businesses have been permitted to 
use the SSN. While Congress has approved government uses of the SSN, the identi- 
fier has never been approved for general private-sector use. 

Restricting the sale, purchase, and display of SSNs for unnecessary purposes pre- 
serves their utility for more critical purposes while decreasing opportunities for im- 
posters to obtain identities to hide behind. Additionally, maintenance of dual identi- 
fiers, or transitions away from SSNs as identifiers, is a very feasible and desirable 
goal as demonstrated by Empire Blue Cross’s transition (4.8M customers), and exist- 
ing requirements in many states prohibiting use of SSNs for student, driver, and 
other identifiers. 

We also contest the notion that government uses of the SSNs frequently involve 
access to routine, innocuous data. The SSN plays an unparalleled role in aggrega- 
tion of information, and thus information once thought to be innocuous can take on 
greater significance. For instance, a document EPIC obtained under the Freedom of 
Information Act from the United States Marshals Service highlights the amount of 
information that can be aggregated around identifiers: 

With as little as a first name or a partial address, you can obtain a comprehensive 
personal profile in minutes. The profile includes personal identifying information 
(name, alias name, date of birth, Social Security number), all known addresses, driv- 
ers license information, vehicle information. . . . telephone numbers, corporations, 


iThe driver’s license is used as both identifier and authenticator, but it is a superior device 
because it includes a picture, address, signature, and basic physical information. It expires regu- 
larly and must also be renewed. A SSN lacks any of these additional features; see also Lynn 
M. LoPucki, Human Identification Theory and the Identity Theft Problemem, 80 Tex. L. Rev. 89, 
100 (November 2001) {“In particular, Social Security numbers and mothers’ maiden names are 
inherently poor passwords because they are widely known and difficult to change. Knowledge 
of a Social Security number supports only a weak inference that the knower is the person to 
whom that Social Security number was assigned.”). 
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business affiliations, aircraft, boats, assets, professional licenses, concealed weapons 
permits, liens, judgments, lawsuits, marriages, worker compensation claims, etc. 2 

In many cases, collection of the SSN is not necessary, and Congress should act 
swiftly to curb these uses of the SSN. In January 2002, a statewide grand jury 
empanelled by the Florida Supreme Court found in its first report that: 

We have identified that the government and business take in much more informa- 
tion than necessary to conduct business. For example health clubs require members 
to disclose their Social Security numbers on applications for membership; video 
rental stores ask for social security numbers on applications; and life insurance com- 
panies ask for social security numbers of beneficiaries; local governments ask for So- 
cial Security numbers on routine transactions. We were distressed to learn from the 
Interim Project Report by the Committee on State Administration and Committee 
on Information Technology that 96.3% of state agencies do not even have a written 
policy relating to the collection of Social Security numbers. This same report indi- 
cates that 63% of these agencies disclose Social Security numbers on some public 
record requests. 

Medical service providers and insurance companies routinely substitute Social Se- 
curity numbers for patient or policy numbers, unnecessarily exposing this sensitive 
information to scrutiny on such documents as health and insurance cards. Unse- 
cured mailboxes and trash containers provide thieves with easy access to this per- 
sonal information. 3 

The body found that personal information was being collected by government enti- 
ties and disseminated in public records. It recommended that State law be amended 
to require consent of the citizen, a court order, or a compelling need before identi- 
fying information of citizens was included in the public record. It also found that 
the “public and private sectors routinely use and rely on the consumer’s Social Secu- 
rity number for use as an identifier and an account number.” The body rec- 
ommended that the State legislature “prohibit the use of Social Security numbers 
for independently generated identifiers to track customers, patients, policies, and so 
forth., unless required by law.” 4 

Finally, we note that Mr. Cate’s previous testimony supports limits on govern- 
ment collection of personal information. 5 In testimony to the House Energy and 
Commerce Subcommittee on Consumer Protection, Mr. Cate wrote: 

The government plays many critical roles in helping to protect individual privacy. 
One of the most important responsibilities of the government is assuring that its 
own house is in order. Only the government has the power to compel disclosure of 
personal information and only the government operates free from market competi- 
tion and consumer preferences. As a result, the government has special obligations 
to ensure that it complies with the laws applicable to it; collects no more informa- 
tion than necessary from and about its citizens; employs consistent, prominent infor- 
mation policies through public agencies; and protects against unauthorized access 
to citizens’ personal information by government employees and contractors. Simi- 
larly, there are many steps that only the government can take to protect citizens 
against privacy-related harms, such as identity theft: Make government-issued 
forms for identification harder to obtain; make the promise of centralized reporting 
of identity thefts a reality; make it easier to correct judicial and criminal records 
and to remove permanently from one individual’s record references to acts com- 
mitted by an identity thief. The government alone has this power. 

We agree that a large part of protecting privacy in the context of SSNs involves 
the government reducing the collection and disclosure of personal information. H.R. 
2971 has many provisions that would promote these goals. 

Question: Some of the witnesses at the hearing asked for specific statu- 
tory exemptions from the restrictions contained in sections 101 and 107 of 
H.R. 2971, rather than relying on the Attorney General’s regulatory author- 


2 Sole Source Justification for Autotrack (Database Technologies) (n.d.) (document obtained 
from the USMS), available at http://epic.org/privacy/choicepoint/cpusms7.30.02j.pdf; see also 
Chris Jay Hoofnagle, Big Brother’s Little Helpers: How ChoicePoint and Other Commercial Data 
Brokers Collect and Package Your Data for Law Enforcement, 29 N.C.J. Int’l L. & Com. Reg. 
595 (Summer 2004). 

3 Identity Theft in Florida, First Interim Report of the Sixteenth statewide Grand Jury, SC 
01-1095 (Fla. Jan. 2002), available at http://myfloridalegal.com/pages.nsf/ 
4492d797dc0bd92f85256cb80055fb97/758eb848bc624a0385256cca0059f9dd!OpenDocument. 

4 Id. 

5 Hearing on Privacy in the Commercial World, Committee on Energy and Commerce, Sub- 
committee on Commerce, Trade, and Consumer Protection, U.S. House of Representatives, Wash- 
ington, D.C., Mar. 1, 2001 (statement of Fred Cate), at http://www.law.indiana.edca/directory/ 
publications/fcate/cate010301.pdf. 
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ity provided in section 102. In your view, is the authority provided in the 
bill to the Attorney General sufficient to address these concerns? 

Answer: The authority provided to the Attorney General is sufficient, provided 
that the asked-for exceptions satisfy the statutory standard requiring a compelling 
interest that cannot be served through the employment of alternative measures. We 
think that this standard has enough flexibility to address legitimate needs for the 
SSN while avoiding the codification of exceptions. If exceptions are codified, it is un- 
likely that qualifying industries will ever transition to alternative identifiers. We 
therefore suggest that all exceptions sunset after a given number of years to encour- 
age a transition to alternative identifiers. 

Question: This Subcommittee has heard from a number of victims of 
identity theft. A common, and frustrating, theme is that after individuals 
discover the theft and report it to credit bureaus and financial institutions, 
they continue to be victimized by identity theft. How can this continue to 
occur, given the anti-fraud programs the industry cites? In your judgment, 
is the private sector doing enough to combat identity theft and assist its 
victims? Are there more effective ways to assist victims of identity theft to 
correct their credit histories? 

Answer: We think that creditors, in order to obtain new accounts and compete vig- 
orously, are employing lax identification and authentication procedures that make 
identity theft easy to commit. 6 In a typical scenario, an impostor will gather per- 
sonal information of the victim and apply repeatedly for credit until they get a “hit.” 
Impostors can rely upon a creditor’s alacrity to open new accounts in victims’ 
names. 

In passing the Fair Credit Reporting Act in 1970, one of Congress’ prime goals 
was to place fairness and privacy duties on credit reporting agencies (CRAs). This 
was necessary because competition did not produce competent or even decent credit 
reporting activities. 7 CRAs were not subject to adequate market pressure to ensure 
accuracy and fairness because the customers of CRAs are creditors, not individual 
members of the public. Congress thus created duties on the CRAs, users of credit 
reports, and furnishers of personal information. Those duties are now inadequate. 
For instance, under the FCRA, credit reporting agencies only are required to “main- 
tain reasonable procedures designed” to prevent unauthorized release of consumer 
information. 8 In practice, this means that credit reporting agencies must take some 
action to ensure that individuals with access to credit information use it only for 
permissible purposes enumerated in the Act. The FTC Commentary on the FCRA 
specifies that this standard can be met in some circumstances with a blanket certifi- 
cation from credit issuers that they will use reports legally. 9 

This certification standard is too weak. It allows a vast network of companies to 
gain access to credit reports with little oversight. It treats credit issuers and other 
users of credit reports as trusted insiders, and their use of credit reports and ulti- 
mate extension of credit as legitimate. 

Even where fraud is suspected, creditors only have minimal authentication duties. 
Once the individual does suspect wrongdoing and triggers an alert, new protections 
in the Fair and Accurate Credit Transactions Act (FACTA) require that creditors 
use “reasonable policies and procedures to form a reasonable belief that the user 
[creditorl knows the identity of the person making the request.” 10 It is somewhat 
troubling that a tradeline can be extended without at least “reasonable policies and 
procedures” to verify the credit applicant’s identity. It seems only reasonable that 
such protections be in place by default, rather than when fraud is actually expected. 

We think that more accountability could be encouraged in this area if creditors 
were held liable to victims for extending credit to impostors. However, courts have 
been reluctant to recognize a right of action for negligent extension of credit. Most 
recently, the South Carolina Supreme Court rejected the tort of “negligent 
enablement of imposter fraud.” 11 In that case, the plaintiff identity theft victim al- 
leged that banks owe a duty to identity theft victims when they negligently extend 


6 See e.g., Jeff Sovern, The Jewel Of Their Souls: Preventing Identity Theft Through Loss Allo- 
cation Rules, 24 U. Pitt. L. Rev. 343, 358 (Winter 2003) (arguing that “[glreater vigilance on 
the part of the merchants involved would have prevented many identity frauds”). 

7 Robert Ellis Smith, Ben Franklin’s Web Site, Privacy and Curiosity from Plymouth Rock to 
the Internet (Privacy Journal, 2000). 

8 15 U.S.C. § 1681e(a). 

9 The FTC is statutorily barred from promulgating regulations on the FCRA. 15 U.S.C. 
§ 1681s(a)(4). The agency issues a non-binding commentary on the Act. Credit, Trade Practices, 
16 CFR §600, 607 (1995). 

10 Pub. L. No. 108—159 §112 (h)(l)(b)(i). FACTA amended the Fair Credit Reporting Act, 15 
U.S.C. § 1681. 

11 Huggins v. Citibank, 585 S.E.2d 275 (S.C. 2003). 
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credit in their name. The defendants argued that no such duty existed because the 
victim was not actually a customer of the bank. Focusing on the requirement that 
an actual relationship exist between victim and tortfeasor before a legal duty arises, 
the court rejected the proposed cause of action: 

“We are greatly concerned about the rampant growth of identity theft and finan- 
cial fraud in this country. Moreover, we are certain that some identity theft could 
be prevented if credit card issuers carefully scrutinized credit card applications. 
Nevertheless, we — decline to recognize a legal duty of care between credit card 
issuers and those individuals whose identities may be stolen. The relationship, if 
any, between credit card issuers and potential victims of identity theft is far too at- 
tenuated to rise to the level of a duty between them. 12 

Congress could assist victims greatly by creating an enforceable duty so that 
creditors were more responsible with victims’ credit. 

Question: We have heard a recommendation that Congress consider cre- 
ating a nationwide system of cross-verification of SSNs among public agen- 
cies and private businesses. What is your view of this recommendation? 
Are there other ways to increase the security and integrity of the SSN that 
would not unnecessarily compromise privacy? 

Answer: In passing the Privacy Act 1974, Congress was specifically reacting to 
and rejecting calls for the creation of a similar idea, a one-stop “federal data center” 
for personal information. A 1977 report issued as a result of the Privacy Act high- 
lighted the dangers and transfers of power from individuals to the government that 
occur with centralization of personal information: 

In a larger context, Americans must also be concerned about the long-term effect 
recordkeeping practices can have not only on relationships between individuals and 
organizations, but also on the balance of power between government and the rest 
of society. Accumulations of information about individuals tend to enhance authority 
by making it easier for authority to reach individuals directly. Thus, growth in soci- 
ety’s recordkeeping capability poses the risk that existing power balances will be 
upset. 13 

Creation of a nationwide system of SSN verification across public agencies and 
private businesses will upset balances of power described in the 1977 report and re- 
duce individuals’ autonomy from both government and commercial entities. 

Promoting the use of the SSN also hardens the number as a de facto national 
identifier. The creation of a national ID runs counter to public sentiment and recent 
congressional action. 14 

This concern is not new; it was voiced at the creation of the SSN and has since 
been raised repeatedly. The SSN was created in 1936 for the sole purpose of accu- 
rately recording individual worker’s contributions to the Social Security fund. The 
public and legislators were immediately suspicious and distrustful of this tracking 
system fearing that the SSN would quickly become a system containing vast 
amounts of personal information, such as race, religion and family history, that 
could be used by the government to track down and control the action of citizens. 
Public concern over the potential for abuse inherent in the SSN tracking system was 
so high, that in an effort to dispel public concern the first regulation issued by the 
Social Security Board declared that the SSN was for the exclusive use of the Social 
Security system. 

The use of the SSN as the means of tracking every encounter between an indi- 
vidual and the government will expand the treasure trove of information accessible 
to the unscrupulous individual who has gotten hold of another’s SSN. The use of 
the SSN as the mandatory national identifier will facilitate linkage between various 
systems of governmental and private sector records further eroding individual pri- 
vacy and heightening surveillance of each American’s life. 

There are ways to strengthen integrity of the SSN without implicating privacy. 
For instance, the format of the SSN could be changed to include a “checksum,” a 
formula that allows one to immediately verify whether the number has a proper 
form. Credit card numbers already are issued in this fashion so that they cannot 
be guessed or faked easily. 

Question: A witness representing the National Council of Investigation 
and Security Services requested the deletion of section 108 of H.R. 2971, cit- 
ing the usefulness of credit headers in locating witnesses, criminal sus- 


12 Id. at 334. 

13 Privacy Prot. Study Comm’n, Personal Privacy in an Information Society: The Report of the 
Privacy Protection Study Commission (1977), available at http://www.epic.org/privacy/ 
ppscl977report/cl.htm. 

14 For instance, the Department of Homeland Security is expressly prohibited from developing 
National ID systems. 6 USCS § 554 (2004). 
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pects, estate beneficiaries, and others. Do you share this view? Are there 
other sources of information that could be used to locate such persons if 
section 108 of H.R. 2971 were enacted into law? 

Answer: Under H.R. 2971, credit headers could still be accessed by private inves- 
tigators where they have a “permissible purpose” under the FCRA. The FCRA would 
allow access where the private investigator had a court order, where it is used for 
employment purposes, or where it is used for collection of an account. In the con- 
texts listed above, it seems that a court order would be readily obtainable, thus sat- 
isfying the FCRA requirement, as location of witnesses, criminal suspects, and es- 
tate beneficiaries are all activities likely to occur within the context of a court ac- 
tion. As a fairness measure, the law would require the CRA to note on the credit 
report that the information had been accessed by the private investigator. We think 
that this is an appropriate standard for access to credit headers, which contain all 
the personal identifiers necessary for the commission of fraud or harassment. 

Investigators did exist before the credit header system was created. They are re- 
sourceful and can call upon different resources to obtain personal information. The 
current system, where a network of private investigators can obtain credit headers 
on any person, is unfair and privacy invasive. Individuals do not even receive notice 
that their personal information has been obtained under the current framework. 
Furthermore, in some states, private investigators are not even licensed to practice. 
In others, licensure is merely a pro forma activity. Serious accountability concerns 
are present, most notably exemplified by the Amy Boyer case, where private inves- 
tigators used credit headers and pretexting to locate a young woman for a stalker 
who killed her. 15 

We also suspect that the private investigators may be putting on “their best face” 
for maintaining access to credit headers. No one wants to impede the function of 
a private investigator when they are finding individuals in order to give them inher- 
itance from an estate. We question what percentage of credit header access is per- 
formed for this function. 

If Congress chooses to maintain access, it should limit the purposes for which in- 
vestigators can obtain credit headers. When access is obtained, a notation should 
be entered onto the credit report so that the individual can find out who has been 
purchasing access to their personal information. 

Question: One witness at the hearing testified that an FTC study on iden- 
tity theft indicated that the SSN does not play a major role in identity 
theft. Do you agree with this interpretation of the study? 

Answer: We strongly disagree with the proposition advanced by Mr. Cate in oral 
and written testimony on June 15, 2004 that the Social Security Number (SSN) does 
not play a major role in identity theft. Common sense, the experience of identity 
theft clearinghouses, identity theft litigation, and the academic literature support 
the proposition that the SSN plays a primary role in identity theft. It is almost im- 
possible to obtain credit without a SSN, making possession of the identifier a nec- 
essary condition for commission of identity theft. Under Federal law, states must 
collect SSNs in order to issue driver’s licenses; therefore the identifier is always in- 
volved in cases where an impostor seeks credentials in a victim’s name. Mr. Cate 
may be correct that the SSN is not a major factor in credit card fraud, but that form 
of identity theft is less serious from the victim’s perspective, and legislative effort 
to prevent the crime should focus on impostors who obtain new accounts or creden- 
tials in the victim’s name. 

This common-sense problem of SSN being linked to fraud was identified by a Flor- 
ida statewide grand jury devoted to exploring problems of identity theft: One of the 
most valuable pieces of information that an identity thief is searching for is the So- 
cial Security number, because the American financial industry has placed great reli- 
ance on it as the primary means of identifying individuals. Universities identify stu- 
dents with it. Providers of medical care and insurance coverage use it to identify 
their patients and clients. 16 

The Florida grand jury made strong recommendations for limiting disclosure and 
use of the SSN in order to address identity theft . . . the sale of Social Security 
numbers must be stopped. The Federal proposals must be adopted and Florida must 
continue its efforts to enforce the recently enacted laws that make social security 
numbers confidential within public records and prohibit its release. Florida must 
also continue to minimize the requests for Social Security numbers to be included 


15 Electronic Privacy Information Center, Amy Boyer, available at http://www.epic.org/privacy/ 
boyer/. 

16 Identity Theft in Florida, Second Interim Report of the Sixteenth statewide Grand Jury, SC 
01-1095 (Fla. Nov. 2002), available at http://myfloridalegal.com/pages.nsf/ 
4492d797dc0bd92f85256cb80055fb97/f6995a8304fb723685256cca0059975f!OpenDocument. 
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on documents that will become public record, where the number is of little relevance 
to the government function. 17 

The experience of the major identity theft clearinghouses point to the central role 
that the SSN plays in fraud. A visit to the Web site of the Privacy Rights Clearing- 
house, a leading provider of direct assistance to identity theft victims, reveals a 
number of cases where SSNs were the key to fraud: It’s just a number, a nine-digit 
sequence issued by the U.S. Government. Every American must have one. It be- 
comes your identity for life. 

But most Americans take it for granted. I did — until my Social Security number, 
along with other personal information, fell into the wrong hands a couple of years 
ago. Since then, my number — my identity — has been hijacked several times for use 
in stealing thousands of dollars in goods and cash. Each time, I’m left to sort out 
the mess — Recently, I saw an entry blank for a drawing for a house. I stopped to 
look it over, but the instant I saw that the entry required disclosure of Social Secu- 
rity number, I threw it away. That number has become too precious. 18 

Individuals who serve in the military are at particular risk of identity theft, in 
part because of the government’s use of the SSN as an identifier: I have been an 
identity theft victim for 1 year and I’ve yet to find an agency or organization that 
has brought any relief or words of comfort that can make this nightmare seem like 
it will have an end. I retired from the U.S. Army in 1999 after 20 years. July of 
2001, Jerry Wayne Phillips, was able to get a military ID from Ft. Bragg, NC with 
my name and SSN. From there, you probably know the rest of the story. With that 
ID and my good credit history, he was able to buy cars, motorcycles, open credit 
card accounts, checking accounts, and get credit at virtually every department store 
that offers credit. I never came in contact with him, I didn’t lose a credit card, and 
I wasn’t careless with my Social Security number. The accounts he opened had no 
relationship to any of my accounts. 19 

Another victim testified: 

How can this be possible? How can someone else actually open accounts or borrow 
money in your name? Well, it’s quite easy, as we belatedly found out. All that per- 
son needs to do this is a close approximation of your first and last name and your 
SOCIAL SECURITY number. Spelling or accuracy doesn’t matter. Nothing else 
about you is relevant. Different addresses various spouse names, birthday, any ran- 
dom place of employment, and spelling of this information is irrelevant. Age or any 
other personal information doesn’t matter. All that is required is a first and last 
name that almost matches a Social Security number. The credit agencies readily 
verify an application if the Social Security number presented shows a good credit 
payment record. It doesn’t matter if a different address, birthday, spouse’s name or 
any variation to their recorded data is submitted with the application for their 
verification. The false data submitted by their customer now becomes your informa- 
tion. Again every transaction that involves your credit records is based on only one 
major piece of identification, your social security number. 20 

The Identity Theft Resource Center explains in a publication on the crime that: 
It is also clear that in the majority of identity theft situations victims were not re- 
sponsible for the loss. Most of these situations started because a business or govern- 
mental entity allowed the thief access either directly or indirectly to personal identi- 
fying information. This includes databases, cards carried in wallets that included 
one’s SSN or via items mailed to victims with account or SSN information (allowing 
access through mail theft, dumpster diving or theft), or unsafe information gath- 
ering or handling practices. The reality is there are only two things that a victim 
can do to directly facilitate identity theft: carry a Social Security card in one’s wallet 
or fall victim to a telephone or Internet scam. In all other situations direct links 
to a business entity can be drawn. 21 

Identity theft litigation also shows that the SSN is central to committing fraud. 
In our written testimony, we detailed several identity theft lawsuits where it is 
clear that the SSN was the key to the impostor’s success in the commission of iden- 


17 Id. 

18 Kerry Hill, It All Starts with the SSN: Your Social Security Number Provides Avenue for 
Thieves, Wisconsin State Journal, Sept. 13, 1998, at IB, available at http://privacyrights.org/ 
cases/victiml3.htm (accessed June 29, 2004). 

19 The Military ID Was too Easy to Get: System Failures Aided the Thief, at http:// 
privacyrights.org/cases/victim22.htm (accessed June 29, 2004). 

20 Legislative Testimony of John and Jane Doe, available at http://privacyrights.org/cases/ 
victim5.htm (accessed June 29, 2004) 

21 Identity Theft Resource Center, Identity Theft: The Aftermath 2003, at http:// 
www.idtheftcenter.org/idaftermath.pdf 
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tity theft. 22 In fact, the SSN plays such a central role in identification that there 
are numerous cases where impostors were able to obtain credit with their own name 
but a victim’s SSN, and as a result, only the victim’s credit was affected. 23 Last 
month, the Salt Lake Tribune reported: “Making purchases on credit using your own 
name and someone else’s Social Security number may sound difficult — even impos- 
sible — given the level of sophistication of the nation’s financial services industry — 
But investigators say it is happening with alarming frequency because businesses 
granting credit do little to ensure names and Social Security numbers match and 
credit bureaus allow perpetrators to establish credit files using other people’s Social 
Security numbers.” 24 The same article reports that Ron Ingleby, resident agent in 
charge of Utah, Montana and Wyoming for the SSA’s Office of Inspector General, 
as stating that SSN-only fraud makes up the majority of cases of identity theft. 25 

Because creditors will open new accounts based only on a SSN match, California 
has passed legislation requiring certain credit grantors to comply with heightened 
authentication procedures. California Civil Code §1785.14 requires credit grantors 
to actually match identifying information on the credit application to the report held 
at the CRA. Credit cannot be granted unless three identifiers from the application 
match those on file at the credit bureau. 

We are aware of no academic literature that supports Mr. Cate’s position. Instead, 
even a cursory review of the identity theft academic literature reveals that the SSN 
is understood as a principal tool for fraud. 26 In a recently published article, R. Brad- 
ley McMahon explains the key role that the SSN plays in identity theft: 

The easiest and most common way for a thief to steal someone’s identity is by 
acquiring that person’s Social Security number and other private information. Social 
Security numbers are attractive to identity thieves because the numbers are abun- 
dant and provide access to a victim’s private information. Social Security numbers 
commonly are used as a national identifier for everything from car rentals to credit 
card applications. Often a thief needs only a name and a Social Security number 
to open up a credit card account or to access an existing account. 

A recent study reported that identity theft occurs mainly because information was 
either stolen or released from a company that compiles personal information. Over 
one thousand companies compile comprehensive databases of personal information 
and transfer this information every 5 seconds. Two of the largest compilers of per- 
sonal data are the health care and the financial industries. Often, thieves look to 
these two sources for obtaining personal information. The liberal sharing policies of 
companies allow personal information to flow far beyond primary compilers. Once 
a person’s information is released to one of these central sources, the dissemination 
of the personal information is completely out of the person’s control. The extent to 


22 See e.g. Nelski v. Pelland, 2004 U.S. App. LEXIS 663 {6th Cir. 2004) (phone company issued 
credit to impostor using victim’s name but slightly different Social Security Number); United 
States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (impostors obtained six American Express cards 
using correct name and Social Security Number but directed all six to be sent to the impostors’ 
home); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) (bank issued two credit cards based 
on matching name and Social Security Number but incorrect address); Vazquez-Garcia v. Trans 
Union De P.R., Inc., 222 F. Supp. 2d 150 (D.P.R. 2002) (impostor successfully obtained credit 
with matching Social Security Number but incorrect date of birth and address); Dimezza v. First 
USA Bank, Inc., 103 F. Supp. 2d 1296 (D.N.M. 2000) (impostor obtained credit with Social Secu- 
rity Number match but incorrect address). 

23 See e.g. TRW Inc. v. Andrews 534 U.S. 19 {2001) (patient’s data was stolen by receptionist 
who successfully applied for credit with a matching SSN but different addresses in a different 
state, a different first name, and different date of birth). 

24 Lesley Mitchell, New wrinkle in ID theft; Thieves pair your SS number with their name, 
buy with credit, never get caught; Social Security numbers a new tool for thieves. The Salt Lake 
Tribune, June 6, 2004, at El. 

25 Id. 

26 See e.g. Harry A. Valetk, Mastering the Dark Arts of Cyberspace: A Quest for Sound Inter- 
net Safety Policies, 2004 Stan. Tech. L. Rev. 2 (2004) (describing problems caused by the “ Nine- 
Digit Key to Identity Theft”); Peter C. Alexander, Identity Theft and Bankruptcy Expungement, 
77 Am. Bankr. L.J. 409 (Fall 2003);Lynn M. LoPucki, Did Privacy Cause Identity Theft?, 54 
Hastings L.J. 1277 (April 2003) (noting that of the identifiers on a credit application, “ most 
important will be Consumer’s Social Security number”); Christopher P. Couch, Forcing the 
Choice Between Commerce and Consumers: Application of the FCRA to Identity Theft, 52 Ala. 
L. Rev. 583 (Winter 2002); Erin M. Shoudt, Identity Theft: Victims “Cry Out” For Reform, 52 
Am. U.L. Rev. 339 (October 2002); Jerilyn Stanley, Crimes Identify Theft: Supporting Victims 
in Recovering From the Crime of the Information Age, 32 McGeorge L. Rev. 566 (Winter 2001); 
Stephanie Byers, The Internet: Privacy Lost, Identities Stolen, 40 Brandeis L.J. 141 (Fall 2001); 
Kurt M. Saunders and Bruce Zucker, Counteracting Identity Fraud In The Information Age: The 
Identity Theft And Assumption Deterrence Act, 8 Cornell J. L. & Pub. Pol’y 661 (Spring 1999); 
Kristen S. Provenza, Identity Theft: Prevention and Liabilityty, 3 N.C. Banking Inst. 319 (April 
1999). 
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which this information proliferates into third party networks is not known. The in- 
formation shared by corporate America is one of the principal sources for identity 
theft. 27 

Professor Daniel Solove of the George Washington Law School similarly argues 
that: SSNs are a key piece of information for identity theft. SSNs can unlock a 
wealth of other information held by the government and the private sector — SSNs 
are used as passwords to obtain access to a host of personal records from banks, 
investment companies, schools, hospitals, doctors, and so on. The SSN is a powerful 
number, for with it a person can open and close accounts, change addresses, obtain 
loans, access personal information, make financial transactions, and more 

In short, the SSN functions as a magic key that can unlock vast stores of records 
as well as financial accounts. The SSN is the identity thief s best tool. 28 

The link between SSNs and identity theft is so well established that most aca- 
demics include reference to the identifier when describing the crime: 

The cases described earlier in this article merely hint at the range of actions that 
may constitute bankruptcy-related identity theft. Forms of bankruptcy-related iden- 
tity theft include, without limitation:n: 

Filing for bankruptcy using the name and/or SSN of another known person, such 
as a parent, sibling, child or other relative; a spouse, ex-spouse, “significant other” 
or ex-significant other; a current or former business partner, co-employee, cosigner 
on a debt, friend, neighbor or fellow student; or even a deceased person. 

Incurring debt under a false name and/or SSN and then filing for bankruptcy, 
using that name and/or number to discharge the debt. Sometimes this debt is owed 
to the government via a farm loan, small business loan, student loan or similar obli- 
gation. 

Transferring property into the name of a relative or friend, then filing for bank- 
ruptcy using that person’s name and/or SSN to avoid foreclosure. Typically the 
transferee agrees to the transfer “to help out,” but does not understand the legal 
ramifications. 

Filing for bankruptcy using a false name and/or SSN that was apparently ran- 
domly chosen, because it does not belong to a person known to the perpetrator 

Using a false SSN when identifying oneself as a bankruptcy petition preparer. 29 

Finally, we take issue with Mr. Cate’s characterization of the Identity Theft Sur- 
vey Report that appears on page 6 of his testimony. On that page, Mr. Cate suggests 
that 76 percent of identity theft cases involved family members, friends, or financial 
institutions, and did not involve third party data. This is not a careful analysis of 
FTC’s findings. Mr. Cate’s 76 percent figure is not based on all identity theft vic- 
tims. Instead, it is based on the minority of identity theft victims who knew the ac- 
tual identity of the impostor (“in 26% of all cases, the victim knew who had misused 
their personal information”). 30 The correct figure certainly is not 76 percent, as Mr. 
Cate suggests. Rather, the FTC very clearly wrote that: 

“35% of the 26% of victims who knew the identity (or, in other words, 9% of all 
victims) said a family member or relative was the person responsible for misusing 
their personal information — 23% of the 26% of all victims who knew the identity of 
the thief (or 6% of all victims) said the person responsible was someone who worked 
at a company or financial institution that had access to the victim’s personal infor- 
mation — Of the 26% who knew the identity of the person who took their informa- 
tion, 18% said the thief was a friend, neighbor, or in-home employee, while 16% said 
the thief was a complete stranger, but the victim later became aware of the thiefs 
identity. (These figures represent 5% and 4% of all victims respectively.) 31 

Mr. Cate would be correct in stating that in 25 percent of cases, the victim knew 
the impostor. However, that does not lead to the conclusion that H.R. 2971 or re- 
strictions on third-party SSN sale is unjustified. H.R. 2971 could still reduce iden- 
tity theft in cases where a friend, family member, company, or financial institution 
has access to SSNs. Instead of dumpster diving or stealing SSNs from computers, 
these impostors rely upon the appearance of the SSN in their acquaintances’ mail 
or other personal belongings. For instance, in the college context, identity theft is 
facilitated by institutions that print the SSN directly on the student identity card. 


27 E. Bradley McMahon, Note: After Billions Spent to Comply With HIPAA and GLBA Privacy 
Provisions, Why is Identity Theft the Most Prevalent Crime in America?, 49 Vill. L. Rev. 625, 
627 (2004). 

28 Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings 
L.J. 1227, 1252 (2003) 

29 Jane E. Limprecht, Fresh Start or False Start? Dealing with Identity Theft in Bankruptcy 
Cases, American Bankruptcy Institute Journal, December 200, 2000 ABI JNL LEXIS 192. 

30 Federal Trade Commission, Identity Theft Survey Report 28, Sept. 2003, available at http:// 
www.ftc.gov/os/2003/09/synovatereport.pdf. 

31 Id. at 28-29. 
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Accordingly, a roommate can very easily copy or take the victim’s student identity 
card and then have the identifiers necessary to commit identity theft. Contrary to 
Mr. Cate’s conclusion, H.R. 2971 would address these risks of identity theft. As 
SSNs are removed from checks, ID badges, and other materials, individuals will be 
less likely to be victimized by strangers or by their roommates, family members or 
friends. 

Question: If a private entity — for example, a consumer reporting agency, 
health care organization, or information reseller — has an individual’s SSN 
in its possession, and this information is used in an identity theft or fraud, 
should that entity be held strictly liable for any harm done? Please com- 
ment on the advantages or disadvantages of this idea, as well as its feasi- 
bility and potential effectiveness in combating identity theft. 

Answer: EPIC has argued that collection of the SSN should be limited, but where 
it is allowed, it should be subject to a full set of “Fair Information Practices,” rights 
and responsibilities in data that ensure accuracy, access, and accountability. As part 
of the accountability responsibility, a strict liability standard would encourage com- 
panies to avoid unsafe practices. In particular, when a safer alternative activity ex- 
ists, strict liability encourages use of the safer alternative while negligence offers 
no such additional incentive. 

Social Security number usage is a good fit for this standard. There are clear and 
equally effective alternatives to SSN use (alternative identifiers, avoiding SSN use 
altogether if unnecessary, and so forth.), and there is a far greater interest in avoid- 
ing identity theft altogether rather than simply preventing any identity theft that 
is not cost-effective to prevent in the first place, which negligence provides. 

Also, given the relatively small number of SSN aggregators, it is likely to be more 
efficient and less expensive to provide insurance against identity theft for such 
aggregators, rather than for individual potential victims who are likely to be less 
able to gauge their relative risk. The main disadvantage to a strict liability standard 
is that it may impose damages for losses that are unforeseeable or that would be 
too costly to prevent. Additionally, liable entities may draw attention to particular 
cases where significant damages are imposed in the absence of obvious fault. 

By encouraging companies to avoid using SSNs at all, rather than simply pro- 
viding certain protections for unnecessary SSN use, a strict liability standard would 
be more effective at combating identity theft by decreasing the availability of and 
dependence on SSNs. 

We also suggest that Congress consider as an accountability measure a “security 
breach notification” law. California enacted such a law that took effect in July 2003. 
It requires all entities to notify individuals when their unencrypted SSNs are ac- 
quired by an unauthorized person. 32 Under current law, a company could suffer a 
severe security breach and not notify any individual affected (except Californians). 
We think that a notice requirement is a fair condition for continued use of the SSN. 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Brian P. McGuinness 

Question: How many states do not have a specific licensing requirement 
for private investigators? For those states that do have licensing require- 
ments, how uniform are those requirements? Describe the oversight per- 
formed of licensed investigators’ activities? What would prevent an investi- 
gator from becoming licensed, or having a license renewed? 

Answer: There are currently seven states that do not require licensing of private 
investigators. In my state of Florida investigators are subject to extensive criminal 
history background checks. We are stringently regulated with requirements for 
records retention, insurance, training (if armed) and subject to disciplinary action. 
The Department of Agriculture and Consumer Services takes its job seriously. Re- 
quirements do vary among the states but include background checks. Details about 
the various requirements may be found through the website of the International As- 
sociation of Security and Investigative Regulators at www.iasir.org. As in my state, 
investigators are subject to penalties including the loss or suspension of a license. 
Serious violations of state regulations would prevent an investigator from renewing 
a license. Mandatory background checks prevent unqualified applicants from obtain- 
ing one. Let me add that there are very few instances of private investigators mis- 
using identifying data. As proposed, the restrictions on our ability to access critical 
information puts the public at far greater risk than do the handful of cases where 
an investigator may have inappropriately used the data. 


32 California Senate Bill 1386, available at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351- 
1400/sb_1386_bill_20020926_chaptered.html. 
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Question: You mentioned that information providers audit the users of 
the data to ensure compliance with their contract (i.e., that the data is 
being used only for purposes authorized under the law). Do both licensed 
and unlicensed private investigators have access to credit header data? 
What percent of transactions would you say information sellers audit? How 
many times have you been audited? What checks are there in the system 
to prevent a private investigator (licensed or unlicensed), or a member of 
the staff of a private investigator, from accessing credit header information 
for an unauthorized purpose? 

Answer: We are not aware that the bureaus publish the number or extent of their 
audits. I have never been audited personally, but some of our members have and 
report that TransUnion, for example, has conducted stings to verify our members 
comply with the requirements to know their client and verify the purpose for which 
a report is used. 

Question: You recommended deletion of section 108 of the bill, which 
would authorize the release of SSNs by credit bureaus only under the 
terms required for a full consumer report. That provision in the bill is not 
the jurisdiction of this Committee, but rather the Committee on Financial 
Services. However, we are interested in hearing your feedback about the 
provision. Since the bill’s provision only restricts release of the SSN, why 
couldn’t other parts of the credit header, like name, address, and telephone 
number still be used to locate witnesses? In what percent of cases overall 
is the SSN needed to help differentiate between records? Rather than 
eliminate the provision altogether, is it possible to modify it in a way that 
balances SSN privacy with necessary uses? 

Answer: With regard to jurisdiction, we realize that any changes to the FCRA 
would be done by the Financial Services Committee, however, though you are not 
representing that Committee, Chairman Shaw is the author of the bill and we pre- 
sume would have the authority to make recommendations for amendments. Because 
HR 2971 has been referred to multiple committees we expect that the vehicle that 
will ultimately be considered on the floor would in all likelihood be the product of 
a negotiation among these committees and the House Rules Committee. Rec- 
ommendations of the sponsor and the Ways and Means Committee will be impor- 
tant. 

Name and address information is not sufficient to assure that an individual is the 
person whom we are attempting to locate. The Social Security Number is essential 
for distinguishing among numerous people with the same name. In many instances 
we are seeking persons who share a name with thousands. Even if we had John 
Smith’s birth date it wouldn’t be sufficient because he would share it with many 
other John Smith’s. 

There are two ways requests for credit header information are made: 

One is by submitting a social security number to the credit bureau provider. 
While that appears to be permissible under the current structure of section 108, 
under section 107 (a), it would be unlawful for an investigator acting as a Consumer 
Reporting Agency to submit a Social Security number to the provider or anyone. 
Under the Fair Credit Reporting Act, and pursuant to the FTC, investigators con- 
ducting investigations for a “permissible purpose” are considered to be Consumer 
Reporting Agencies. A substantial percentage of investigations by our members fall 
under the purview of the FCRA. 

It should also be pointed out that the credit bureaus only sell header information 
to entities with whom they have contracted and who have executed those contracts 
which contain detailed limitations on the way that information may be used. I am 
unaware that credit headers are being sold directly to the general public.c. 

Investigators are also required to indemnify the provider unconditionally for any 
liability incurred or alleged. The contracts spell out that the providers will conduct 
periodic reviews of “subscriber activity” and random audits. Violators are subject to 
termination of the account, legal action and being reported to Federal and state reg- 
ulatory agencies. 

The second way header information is requested is by submitting a name and 
date of birth to the provider. However, under section 107 (b)(1), the provider would 
be prevented from providing the Social Security number to the investigator thereby 
preventing a positive identification cross check. 

With regard to modifying section 108, that could be done by inserting exemptions. 
However, we feel it should best be eliminated. 

Following are our suggestions for amending section 107: 

In section 107, after (c) strike (A) and insert the following new subsection: 
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i. to the extent necessary for law enforcement, including (but not limited to) the 
enforcement of a child support obligation, as determined under regulations of 
the Attorney General of the United States issued under section 205(c)(2)(I); 

ii. if the display, sale, or purchase of the number is for a use occurring as a result 

of an interaction between businesses, governments, or business and govern- 
ment (regardless of which entity initiates the interaction), including, but not 
limited to 

a. For use in connection with any civil, criminal, administrative, or arbitral pro- 
ceeding in any Federal, State, or local court or agency or before any self-regu- 
latory body, including the service of process, investigation in anticipation of 
litigation, and the execution or enforcement of judgments and orders, or pursu- 
ant to an order of a Federal, State, or local court, 

b. or the prevention of fraud (including fraud in protecting an employee’s right 
to employment benefits); 

c. the facilitation of credit checks or the facilitation of background checks of em- 
ployees, prospective employees, or volunteers; 

d. the retrieval of other information from other businesses, commercial enter- 
prises, government entities, or private nonprofit organizations 

Question: You said you believe Congress should spell out all the appro- 
priate uses of SSNs in the private sector, rather than allow the U.S. Attor- 
ney General to provide exceptions through regulations to the bill’s prohibi- 
tions on sale, purchase, and display of SSNs to the general public, as H.R. 
2971 requires. The activities you listed that private investigators provide 
are laudable. Why do you believe that you would not be able to convince 
the U.S. Attorney General during the process of developing and receiving 
comment on regulations that the SSN is needed for these purposes and that 
the costs do not outweigh the benefits? 

Answer: HR 2971 includes several exceptions to the restrictions on the use of 
SSNs in section 107. These include exceptions for law enforcement, child support, 
national security, public health, emergencies, research and where the Attorney Gen- 
eral determines appropriate. We believe investigations in anticipation of litigation, 
due diligence, insurance claims, civil and criminal fraud, criminal defense, identity 
fraud, stalking and other violations of law are just as deserving of exception. Not 
clearly listing these investigations in the statute sends a message to the Depart- 
ment that they are of less concern to Congress. Our industry has had recent experi- 
ence with administrative interpretations of statute. Until corrected by statute last 
year, the FTC had interpreted the Fair Credit Reporting Act to require the consent 
of employees suspected of workplace misconduct before we could institute an inves- 
tigation! We want to avoid repeating that experience. 

The FTC is statutorily barred from promulgating regulations on the FCRA. 15 
U.S.C. § 1681s(a)(4). The agency issues a non-binding commentary on the Act. Cred- 
it, Trade Practices, 16 CFR §600, 607 (1995). 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Mike Buengerer 

Question: What did the guidelines developed by the Conference of Chief 
Justices and Conference of State Court Administrators recommend with re- 
gard to display of SSNs, particularly on the Internet? What were the con- 
siderations that went into that recommendation? Didn’t the draft version 
of the guidelines recommend excluding all but the last four digits of the 
SSN from display to the general public? Why did the group back off that 
recommendation? 

Answer: With respect to the display of documents containing SSNs on the Inter- 
net or available electronically, the Guidelines recommended that courts consider 
whether those documents be accessible only on computer terminals within a court’s 
facility. This proposal could be costly to implement as it would require court staff 
to examine documents to see if the contained SSNs and other sensitive information. 

The preeminent consideration in the development of this recommendation was ad- 
dressing the twin goals of protecting an individual’s privacy and maintaining public 
access to the courts, which includes access to court documents. Many state constitu- 
tions possess so-called “open court” provisions that have generally been interpreted 
to mean that not only the courthouse doors but also the records of the court must 
be made available to the public. Other factors included: costs (both staff time and 
technology expenses), future technological advances, differing resource levels from 
court to court, inconvenience to court customers, and measuring the effectiveness of 
this approach. 

Question: Court systems may sell copies of their records, individually or 
in a batch, to information resellers and others, correct? How does this 
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process work? How much revenue is raised by such sales? Would informa- 
tion resellers seek to purchase those records as frequently or at the same 
price if they did not contain SSNs? 

The FTC is statutorily barred from promulgating regulations on the 
FCRA. 15 U.S.C. § 1681s(a)(4). The agency issues a non-binding commentary on the 
Act. Credit, Trade Practices, 16 CFR §600, 607 (1995). 

Answer: The interaction between information resellers and state courts vary wide- 
ly from jurisdiction to jurisdiction. Generally, some resellers do pay for court records 
in bulk, especially in larger court systems, and these transactions are governed by 
court rules and procedures. In my experience, courts do not generally gain or make 
a “profit” from the bulk sale of court data. The money generated from such trans- 
actions pays for staff time, computer equipment usage/programming costs, paper, 
and cost of media. This is due in no small measure to the provisions of many state 
open record laws that allow state governments (including courts) to make public in- 
formation available at cost but which generally limit the ability of state government 
entities to make information selling a “profit center.” Most court rules governing 
these transactions stipulate that courts can reject a request from a reseller if that 
interferes with their ability to effectively serve the public. I would be glad to share 
examples of those court rules with the Subcommittee. 

I have checked with the National Center for State Courts, the premier research 
institution dealing with state courts, and they report that there has not been a sur- 
vey or study done on the amount of nationwide revenue generated by sales of bulk 
information to the courts. 

I would theorize that information resellers would still purchase those records in 
bulk if they did not contain SSNs. Zip code marketing, home mortgage sale informa- 
tion, addresses and phone numbers are some of the valuable commodities to re- 
sellers that can still be garnered from court records. 

Questions from Chairman E. Clay Shaw, Jr. to Mr. Fred Cate 

Question: You stated that SSNs help locate information that can be used 
to verify the identity of a person. Why then is identity theft increasing at 
such a rapid pace despite the fact that creditors and others can use SSNs 
to link to information that helps verify an individual’s identity and when 
they have a financial incentive to do so? 

Answer: 

1. As I testified, according to the most recent research conducted for the FTC, 
most identity theft is not committed by strangers, but rather by family mem- 
bers, friends, co-workers, and employees of organizations with whom the victim 
has contact. Social Security Numbers play a very limited role in these types 
of identity theft, and so the value of Social Security Numbers to help prevent 
identity theft and other frauds is limited. 

In other situations, where a stranger uses a Social Security Number as one tool 
to help open a fraudulent account in a third party’s name, Social Security Numbers 
have been very effective in helping to deter many incidents of identity theft. They 
would be even more effective (a) if they were more widely used by retailers, credit 
grantors, and others, and (b) if those same parties were more diligent in matching 
the identifying information in the credit file which the Social Security Number ref- 
erences to the individual seeking credit. In their haste to provide speedy service to 
a customer, some retailer and credit grantor may appear not to be diligently match- 
ing address, telephone number, and other available information that could be used 
to better verify identity.. 

Two caveats are important here. First, the problem of matching information is es- 
pecially great in online and telephone commerce, where the applicant and credit 
grantor are not located in the same place. Nevertheless, many Internet and tele- 
phone businesses have been very successful in requiring extensive matching infor- 
mation and thereby holding down fraud. (Consider many airlines, for example, 
which require not only a valid credit card number, but also an address and tele- 
phone number that match the information in the credit card issuer’s file.) 

Question: You have said that ubiquitous SSNs help identify people and 
ensure that information is associated with the correct person. Why then 
have the FTC, the SSA IG, and the Postal Inspection Service identified it 
as a prime tool for terrorists and identity thieves? 

Answer: 

2. Social Security Numbers are a tool for many identity thieves for precisely the 
same reason that they are valuable to legitimate merchants, service providers, 
and consumers: they help provide a necessary link with a payment mechanism 
(e.g., whether a credit file that indicates likely ability to pay or a credit card). 
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We cannot have the positive benefits of instant credit, national commerce, and 
Internet and telephone business, without also having the risk that the same 
tools that make that possible will be used for identity theft. None of the gov- 
ernment authorities to which you refer in your question has to my knowledge 
voiced any contradictory conclusion. 

This is why I believe all of the available research suggests that the long-term so- 
lution to identity theft is not to restrict the use of Social Security Numbers, but to 
enhance their integrity and availability. If retailers and credit grantors were given 
greater incentives to check the file indicated by the Social Security Number pre- 
sented by the customer and then match the information there with information pre- 
sented by the customer, identity theft could be significantly reduced. 

However, again, it must be reiterated that such incentives will be far less effective 
if consumers, in turn, are not given incentives to protect their Social Security and 
credit card numbers, avoid disclosing PINs and passwords to colleagues and family 
members, and check their account statements regularly for irregularities. It is easy, 
and therefore tempting, to focus only on the business side of the equation, but many 
of the most critical steps to help guard against identity thieves are uniquely in the 
hands of consumers. Moreover, as the FTC’s recent work in this area demonstrates, 
the speed with which incidents of identity theft are detected is critical to reducing 
the losses they cause, yet a third of all consumers studied by that report never in- 
formed anyone of the theft, even after they discovered them. This suggests that re- 
ports of identity theft are exaggerated or that consumers wren to doing there part 
to help protect themselves. 

Question: This Subcommittee has heard from a number of victims of 
identity theft. A common, and frustrating, theme is that after individuals 
discover the theft and report it to credit bureaus and financial institutions, 
they continue to be victimized by identity theft. How can this continue to 
occur, given the anti-fraud programs the industry cites? In your judgment, 
is the private sector doing enough to combat identity theft and assist its 
victims? Are there more effective ways to assist victims of identity theft to 
correct their credit histories? Should we require the credit industry to give 
priority status to help victims restore their records and good credit? 

Answer: 

3. You highlight a critical issue: the difficulty consumers face in getting their rep- 
utations restored after they have been the victims of identify theft. This is the 
single most consistent refrain from virtually all identity theft victims. Interest- 
ingly, many victims report that their primary frustration is when dealing with 
the government (e.g., getting the police to even take a report of an incident of 
identity theft, clearly up arrest records and traffic offenses resulting from an 
identity theft, finding consistency across the jurisdictions in which an identity 
thief may operate). I would urge you to focus on the government first, because 
there is nothing the public can do if the government fails in its duty. 

The most recent research suggests that identity theft victims find it easier to deal 
with businesses, especially national credit bureaus and credit card issuers. Through 
measures adopted voluntarily by industry and those required by law, often facili- 
tated by the FTC and other federal government agencies, it is getting easier to re- 
port identity theft and to get errors in financial records caused by identity thieves 
corrected. There is still more to be done. One measure that many industry rep- 
resentatives suggest would be useful would be a standardized identity theft police 
report, taken under oath, which could be made available electronically to retailers 
and credit grantors. It is important to remember that consumers often mislead busi- 
nesses in an effort to avoid paying the debts that they have in fact incurred. Rep- 
resentatives of major credit card companies have long testified before Congress that 
many consumers — according to some companies, a majority — who call to object to a 
charge or other expense actually were responsible for it and either forgot it (or for- 
got lending their card to a family member or friend) or were deliberately trying to 
avoid paying it. It is not surprising that businesses might have some hesitation in 
accepting a consumer’s word about an incident of identity theft in the absence of 
a police report. 

Finally, I would encourage the Subcommittee staff to be as precise as possible 
when categorizing the complaints of identity theft victims. My understanding is that 
of those consumers who do have complaints with businesses — as opposed to the gov- 
ernment — most focus on credit grantors, not credit bureaus or other aggregators of 
information. 

Question: If a private entity — for example, a consumer reporting agency, 
health care organization, or information reseller — has an individual’s SSN 
in its possession, and this information is used in an identity theft or fraud, 
should that entity be held strictly liable for any harm done? Please com- 
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ment on the advantages or disadvantages of this idea, as well as its feasi- 
bility and potential effectiveness in combating identity theft. 

Answer: 

4. The concept of liability for misuse of information by a third party has been dis- 
cussed for some time, but so far avoided as a matter of law for what, I suspect, 
are good reasons. First, the proof problems are vast. How do we know where 
an identity thief got the information that he used in his crime? Second, cau- 
sality is not at all clear. As I have noted before, the Social Security Number 
only provides a link to a credit or other file. It cannot — by itself — be used to 
commit identity theft. 

Third, and closely related, there are almost always critical intervening factors 
that are far more important than the Social Security Number. The merchant who 
fails to verify information presented by the customer with that in the credit file, the 
business who accepts fraudulent identification that the thief obtained from the gov- 
ernment, the consumer who fails to review his credit card statement — how is the 
law to assign responsibility to the possessor of the Social Security Number as op- 
posed to these other parties. 

Fourth, liability creates great risks for consumers — risks that merchants will be 
persuaded to invest in protecting Social Security Numbers at the expense of focus- 
ing scarce resources on other anti-identity theft measures, and risks that the addi- 
tional costs of defending against such liability will undercut valuable services, inter- 
fere with consumer convenience, and contribute to increasing prices. Let me be per- 
fectly clear, as a matter of both law and economics, I believe that broad-based liabil- 
ity for Social Security Number misuse by a third party is wholly unworkable. 

That does not mean that there is no role for increased liability at all. When Con- 
gress limited consumer liability for credit card fraud to $50 (thereby effectively im- 
posing that liability on merchants or card issuers, but without creating an invitation 
for expensive and wasteful class actions), it helped drive the greatest expansion of 
consumer credit the world has seen. There may be similar steps that Congress 
should be considering today — modest, targeted, highly focused efforts to create in- 
centives for preventing and fighting identity theft. For example, Congress could pro- 
vide that losses from identity theft will presumptively be the responsibility of any 
merchant whose failure to follow reasonable procedures to verify the identity of the 
customers is exploited by an identity thief. 

As I have indicated, I believe the Subcommittee should think about focusing any 
new liability not only on businesses, but also on individuals, who are often in the 
best place to prevent and detect identity theft. For example, if you legislated a uni- 
form identity theft affidavit, subject to a civil or criminal penalty for anyone who 
knowingly lies when completing one, it would then be far more feasible to expect 
retailers and credit grantors to rely on it and to do so quickly. 

I would caution against too great of a focus on liability at this time, however. Con- 
gress has just put new tools into the hands of consumers and businesses that may 
prove very valuable in the fight against identity theft. Free credit reports, fraud 
flags, and other measures adopted last year as part of the Fair and Accurate Credit 
Transactions Act hold great promise. While the FTC is implementing those and we 
wait to see their impact, I would encourage you to focus on: 

a. educating consumers about the new tools available to them to fight identity 
theft; 

b. ensuring that government is doing its part in that fight by making incidents 
of identity theft easy to report, by improving the systems by which government 
records are cleansed of the deeds of identity thieves, and by improving the 
identity verification process that the government uses when issuing driver’s li- 
censes and other forms of identification on which we all rely; and 

c. continue with those portions of the pending bill that would eliminate the whol- 
ly inappropriate use of Social Security Numbers (on envelopes and checks) and 
toughen penalties against providers of illicit Social Security Numbers and iden- 
tification documents. 

[Submissions for the record follow:l 

June 16, 2004 

The Honorable Clay Shaw 

Chairman, House Ways & Means Subcommittee on Social Security 
B-316 Rayburn House Office Bldg. 

Washington, DC 20515 

Dear Chairman Shaw and Ranking Member Matsui: 

The undersigned organizations applaud your efforts over the past several years 
to craft legislation that will ensure the integrity of the social security number (SSN) 
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in the years ahead. We remain extremely concerned about the proliferation of iden- 
tity theft and other financial crimes that exploit individual SSNs, and believe strong 
legislation should be enacted to combat such nefarious acts. 

As public and private employee benefit plan sponsors, we provided detailed anal- 
ysis of possible legislative proposals on July 24, 2003, to address our concern that 
such legislation could unintentionally hinder the delivery of benefits from, and the 
efficient administration of these plans. In that testimony, we stated that in your bi- 
partisan legislation introduced during the 107 lh Congress, the “Social Security Num- 
ber Privacy and Identity Theft Prevention Act of 2001,” (H.R. 2036), the definitions 
and provisions relating to the “sale,” “purchase” or “display” of a person’s SSN could 
make it more difficult to deliver comprehensive health and retirement benefits to 
public and private employees alike. 

In working with you and your staff over the past year, much of this con- 
cern has subsided. We appreciate the bill you introduced in the 108 th Con- 
gress, H.R. 2971, the “Social Security Number Privacy and Identity Theft 
Prevention Act of 2003.” Although the bill treats public and private sector 
entities somewhat differently, it specifically recognizes the importance of 
voluntary employee benefit plans. Section 208A(a)(2)(B)(ii) (Section 107(a) 
of H.R. 2971) ensures that the provision of and administration of these 
plans will not be hindered by the legislation. 

As you know, public and private employee benefit plans generally use SSNs be- 
cause they enable the accurate and timely administration of benefits for a highly 
mobile workforce, and because use of the SSN is mandated for tax reporting require- 
ments. Plan administrators take seriously the responsibility that the use of SSNs 
requires, and they use the utmost caution and security when SSNs are used in plan 
administration and communications. 

Public and private sector defined benefit and defined contribution pension and 
savings plans, like 401(k), 403(b), and 457 plans, use SSNs to identify plan partici- 
pants, account for employee contributions, implement the employee’s investment di- 
rections, track “rollovers” from other plans, and allow employees to view their ac- 
count activity or benefit accrual online (typically in conjunction with a secure 
“PIN”). We believe that Section 208A(a)(2)(B)(ii) would allow these important proc- 
esses to continue as well. 

Also, SSNs are also used as the primary identifier in many medical and health 
benefit and prescription drug plans to coordinate communications between the doc- 
tor, the medical service provider, and the plan. Again, we believe this section, like 
the allowable legitimate uses of SSNs for national security, law enforcement, public 
health and advancing public knowledge purposes, permits this effective health proc- 
ess to continue. 

As further evidence of your intent to protect the employer-employee relationship, 
Section 109 of H.R. 2971 provides for the continued use of SSNs when expressly re- 
quired under Federal law, such as for W-2 income tax reporting. We applaud this 
effort as well. 

We look forward to continuing to work with you and the Committee to effectively 
address the problem of identity theft without creating unintentional barriers to the 
provision of public and private pension, health and other benefits to employees. To 
this end, we urge you to retain the important provisions described here without 
change as the Committee continues to examine legislative proposals. Please do not 
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hesitate to contact us should you require additional information or wish to discuss 
this issue in more detail. 

Sincerely, 


Jim Klein 
American Benefits Council 
Brian Graff 

American Society of Pension Actuaries 

Tony Lee 

College and University Professional Association for Human Resources 

Janice Gregory 
ERISA Industry Committee 
Bob Shepler 

Financial Executives International’s Committee on Benefits Finance 

Jeannine Markoe Raymond 
National Association of State Retirement Administrators 

Cindie Moore 

National Council on Teacher Retirement 
Chris Stephen 

National Rural Electric Cooperative Association 

Ed Ferrigno 

Profit Sharing 1 401 (k) Council of America 
Mary Huttlinger 
Society for Human Resource Management 


First Data Corporation 
Englewood, Colorado 80112 
June 14, 2004 

The Honorable Clay Shaw 
Chairman, Subcommittee on Social Security 
1102 Longworth House Office Building 
Washington D.C. 20515 

Dear Chairman Shaw, 

On behalf of First Data Corporation, I am submitting this testimony for the 
record. Serving approximately 3.5 million merchant locations, 1,400 card issuers and 
millions of consumers, First Data makes it easy, fast and secure for people and busi- 
nesses to buy goods and services, using virtually any form of payment: credit, debit, 
smart card, stored-value card or check at the point of sale, over the Internet or by 
money transfer. First Data believes that protecting consumers from the misuse of 
Social Security Numbers (SSN) is an important goal. However, it is equally impor- 
tant to ensure that restrictions on the use of SSNs do not disrupt financial activities 
that consumers expect to occur or increase fraud, identity theft, and other criminal 
activities. As a leader in the financial services industry, we offer the following per- 
spective on the positive uses of Social Security Numbers and exemption language 
that we believe should be considered in any legislation restricting the use of SSNs. 

POSITIVE USES — While no one should profit from the display, sale or 
purchase of SSNs, restricting the use of the number may have the unin- 
tended consequence of increasing fraud and identity theft, making it hard- 
er for consumers to obtain the important services they have come to expect 
and rely upon from financial service companies, or increasing both the 
time and cost of obtaining such services. The following are examples of 
positive Social Security Number uses: 

1. Authenticating individuals involved in financial accounts and trans- 
actions — Consumers engage in a wide variety of financial transactions and 
often have numerous financial accounts. Currently, the Social Security Number 
is the most reliable piece of personal information used to verify the identity 
of the consumer. Consumer names, addresses, phone numbers and account 
numbers often change over time. Both the date of birth and mother’s maiden 
name are often easily accessible from public records. In contrast, a Social Secu- 
rity Number remains constant over time and is not, by itself, a public record. 

2. Fraud and Identity Theft — Using a Social Security Number to authenticate 
a consumer is a valuable tool used by the business community to detect fraud 
and identity theft. Unfortunately, it is this same value that makes the Social 
Security Number such a precious commodity to criminals. The goal of any So- 
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cial Security Number legislation should be to limit criminal access to Social Se- 
curity Numbers while preserving its use to stop identity theft. 

PROPOSED EXEMPTIONS — We believe that legislation restricting the use of 
SSNs should include exemptions forthe collection or use of an individual’s SSN in 
connection with the following activities: 

a. To approve, guarantee, process, administer or enforce a financial account or 
transaction involving the individual, including authenticating the individual 
and any information provided by the individual in connection with the account 
or transaction. 

[For example, the SSN is used to ensure that a deceased individual’s So- 
cial Security Number is not used for fraudulent purposes and that future 
communications addressed to the deceased can be stopped.] 

b. To evaluate, detect or reduce risk, fraud, identity theft or possible criminal ac- 
tivities. 

[For example, the SSN is used to locate possible victims of such criminal 
activities.] 

c. To report to or obtain information from a consumer reporting agency pursuant 
to the Federal Fair Credit Reporting Act (15 U.S.C. §1681 et seq), or where 
the collection and use of the individual’s SSN is required by any state or fed- 
eral law, rule or regulation. 

[For example, the SSN is a critical element for creating accurate credit 
reports which allow consumers efficient access to credit and other finan- 
cial transactions.] 

Sincerely, 

Joe Samuel 
Director of Government Relations 


Statement of Stephen B. Copeland, Professional Investigators and Security 
Association, Vienna, Virginia 

Mr. Chairman and Members of the Subcommittee: 

My name is Stephen B. Copeland, and I am President of the Professional Inves- 
tigators and Security Association (PISA). I want to thank you for the opportunity 
to submit testimony on the important issue of identity theft and how to effectively 
combat it. PISA was established in 1984 to represent the private investigation and 
security industries of the Commonwealth of Virginia. PISA’s membership includes 
hundreds of professionals, many of which would be impacted by H.R. 2971. 

In Virginia, these industries are regulated and monitored by the Private Security 
Services Section of the Commonwealth’s Department of Criminal Justice Services. 
Extensive training, registration, certification and licensing requirements, coupled 
with criminal background checks, help ensure a high degree of competence and ad- 
herence to ethical standards. The Department of Criminal Justice Services also con- 
ducts investigations and audits of firms, individuals and training schools in the pri- 
vate security industry to ensure compliance with the requirements of Virginia law 
and regulations. 

PISA is supportive of federal legislative efforts to prevent identity theft and assist 
victims of this fast-growing crime. Many of our members have been on the front 
lines of the battle against identity theft, assisting companies and individual identity 
theft victims by investigating, documenting, and exposing identity theft and fraud. 
In these efforts, Social Security Numbers and credit header data are critical inves- 
tigative tools when used appropriately by law enforcement and licensed private in- 
vestigation and security businesses. 

Private investigation and security professionals use this data for a variety of other 
purposes as well, including child support enforcement, locating missing persons and 
heirs, fraud prevention, and employee background investigations. 

Currently, access to Social Security Number and credit header data is not limited 
to credentialed professionals, but is also being made available to the general public, 
especially through the Internet. This access creates many opportunities for abuse 
by potential identity thieves. However, as noted recently by the General Accounting 
Office, restricting legitimate use of identified data by businesses could hurt con- 
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sumers and in fact make identity theft easier by making identity confirmation and 
background investigations more difficult. 

To best serve the interests of the public, Congress must balance restricting access 
to Social Security Numbers and credit header data with the legitimate needs of law 
enforcement, businesses, and investigation and security professionals. While the ob- 
jectives of H.R. 2971 are laudable, sections 107 and 108 would have a serious nega- 
tive impact on the ability to investigate cases of identity theft and confirm the accu- 
racy of background information provided by individuals. 

We urge Congress to help prevent and combat identity theft by ensuring that any 
additional limitations on access to Social Security Number and credit header data 
preserve appropriate access by credentialed private investigation and security pro- 
fessionals. 

o 



